Rootkit variant confirmed by Boopme

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Rootkit variant confirmed by Boopme, referred here for support from HJT team members

Options

thcbytes View Member Profile	Oct 22 2009, 01:35 PM Post #16
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Hello, The rootkit you had is a new nasty variant that patches a critical system file then disables programs from running. It is not in and of itself an info stealer. In a nutshell...we identified the patched system file, removed it and replaced it with a clean copy. Disabled the rootkit and removed it then cleaned up any associated garbage. Now we need to tighten up security and restore permissions to the programs that were disabled. ========== Lets continue. Is this file familiar to you? CODE C:\Users\Mr j bloggs\Desktop\screwyou.zip ========== Please note.................... P2P Warning Your log indicates that you have Vuze installed. • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. - They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. - Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. - The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology. Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again. I would recommend that you uninstall Vuze, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs. If you wish to keep it, please do not use it until your computer is cleaned. ========== Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop. Look for "Java Runtime Environment (JRE)" JRE 6 Update 16. Click the Download button to the right. Select your Platform: "Windows". Select your Language: "Multi-language". Read the License Agreement, and then check the box that says: "Accept License Agreement". Click Continue and the page will refresh. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version. -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator. -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it. -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually. Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer. ========== We need to reset the permissions altered by the malware on some files. * Download this tool and save it to your Desktop: <-- Important Inherit.exe Select Select All Programs Select Accessories Right click Command Prompt and choose Run as administrator If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password. Copy the entire green text below to the clipboard one line at a time by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy). "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" "%userprofile%\desktop\inherit" "c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%userprofile%\desktop\inherit" "c:\Program Files\Windows Live Safety Center\wlschost.exe" In the Command Prompt window, paste the copied text by right-clicking and selecting Paste and then press the enter button and let the program run. Repeat this process line by line until you have run all the above commands one by one!! Exit the Command Prompt window. ========== Please rerun MBAM. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes. Make sure you are connected to the Internet. Update Malwarebytes' Anti-Malware <--- Important!! Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the definition updates, manually download them from here* and just double-click on mbam-rules.exe to install.* On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen: Click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs* tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system. Exit MBAM when done. Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. ========== I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Check Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the button. Push ========== With your next post please provide: * Familiar file? * MBAM log * ESET log * How is your computer running now? Kind regards, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

SDC0603 View Member Profile	Oct 23 2009, 08:26 AM Post #17
Member Group: Members Posts: 21 Joined: 16-October 09 Member No.: 390,899	Hi, OK, so followed the steps you requested. screwyou.zip was me renaming the avenger file after 10 times of not being able to unzip and install! No issues here then I uninstalled the old java, and installed the newer version OK. Although from reading up on infections from flash objects in websites i'm not so sure about keeping flash now. What is your opinion? I finally installed inherit after disabling mcafee as it kept placing it into quarantine. I used the code as you prescribed and was able to delete the leftovers of onecare, SAS & SpybotSD. I also modified the code to remove SAS from an alternative install directory. I couldn't find mbam apart from in programdata. I reinstalled Mbam and it ran for the 1st time ever and detected two minor items as per below log. >>>>>>>>>>>>>>>>>>> Malwarebytes' Anti-Malware 1.41 Database version: 3013 Windows 6.0.6002 Service Pack 2 22/10/2009 22:27:10 mbam-log-2009-10-22 (22-27-10).txt Scan type: Quick Scan Objects scanned: 89756 Time elapsed: 3 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) >>>>>>>>>>>>>>>>>>>>>>>>>>>> I have also since run a full scan with mbam and nothing found. I also ran the ESET scan and found some items which I knew were there and related to old copies of bearshare install, so quarantined these. Below is the log file >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe multiple threats deleted - quarantined C:\Users\Mr j bloggs\Downloads\FLIPDISK\download\BSINSTALL410.exe multiple threats deleted - quarantined C:\Users\Mr j bloggs\Downloads\FLIPDISK\download\BSINSTALL460.exe Win32/Adware.SaveNow application deleted - quarantined C:\Users\Mr j bloggs\Downloads\FLIPDISK\download\BSINSTALL521.exe Win32/Adware.WhenU.SaveNow application deleted - quarantined >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I also ran dr web and found an infection on my backup drive on the ituneshelper.exe file = trojan.starter.1095. Is this a false positive? Bizarrely no other scanner has picked this up. Just waiting for the scan to finish to see if it picks anything else up.....Should I clean it??

thcbytes View Member Profile	Oct 23 2009, 08:32 PM Post #18
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Happy Friday, QUOTE screwyou.zip was me renaming the avenger file ========== QUOTE Malwarebytes' Anti-Malware 1.41 Database version: 3013 Current version is 3021 You need to choose the Update tab then re-run MBAM and post a new log. Make sure all drives are connected. Be sure to run a Full Scan. ========== QUOTE I also ran the ESET scan and found some items Ok. Please re-run ESET and make sure its clear. ========== QUOTE I also ran dr web and found an infection on my backup drive on the ituneshelper.exe file = trojan.starter.1095. Is this a false positive? Bizarrely no other scanner has picked this up. Just waiting for the scan to finish to see if it picks anything else up.....Should I clean it?? Please post a log for my review or give me the exact file path to the detection. ========== Thanks, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

SDC0603 View Member Profile	Oct 24 2009, 07:11 AM Post #19
Member Group: Members Posts: 21 Joined: 16-October 09 Member No.: 390,899	Hi T, When I ran mbam quick scan it was the very latest defs, i just didn't post the log to the forum until a day later. I also ran mbam the next day (with updated defs) as a full scan with my backup drive connected and nothing was detected. I will upload the log on my next post. The eset scan should have been for all drives as well but the log doesn't show this. I am running a special scan on the backup drive only to see what shows up. Dr web found the trojan.starter.1095 in the backup drive itunes folder, where the ituneshelper.exe normally is. I will try to find the log file and upload when I next post. Thanks for your help, will be in touch. Enjoy your weekend........

thcbytes View Member Profile	Oct 24 2009, 07:43 PM Post #20
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Hi there, QUOTE Dr web found the trojan.starter.1095 in the backup drive itunes folder, where the ituneshelper.exe normally is. I will try to find the log file and upload when I next post. If you chose not to remove it then lets upload it for further evaluation. Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows Please click this link-->Jotti When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time. <filepath>suspect.files to the detection you describe. Please post back the results of the scan in your next post. If Jotti is busy, try the same at Virustotal ========== One more log please.. We need to create an OTL Quick Scan Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Push the button. A report will open, copy and paste it in a reply here ========== With your next post please provide: * Upload result * OTL log Kind regards, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

SDC0603 View Member Profile	Oct 25 2009, 07:07 AM Post #21
Member Group: Members Posts: 21 Joined: 16-October 09 Member No.: 390,899	Morning, me again ESET & MBAM are all clear, nothing to report. Jotti doesn't find anything with the suspect file I submitted. Bizarrely DrWeb now doesn't think it is a problem via jotti either.... New OTL log below: >>>>>>>>>>>>>> OTL logfile created on: 25/10/2009 11:49:56 - Run 2 OTL by OldTimer - Version 3.0.21.0 Folder = C:\Users\Mr j bloggs\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 7.0.6002.18005) Locale: 00000809 \| Country: United Kingdom \| Language: ENG \| Date Format: dd/MM/yyyy 2.00 Gb Total Physical Memory \| 1.30 Gb Available Physical Memory \| 64.96% Memory free 4.00 Gb Paging File \| 4.00 Gb Available in Paging File \| 100.00% Paging File free Paging file location(s): c:\pagefile.sys 3067 3067 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\Windows \| %ProgramFiles% = C:\Program Files Drive C: \| 298.09 Gb Total Space \| 17.04 Gb Free Space \| 5.72% Space Free \| Partition Type: NTFS Drive D: \| 6.04 Gb Total Space \| 0.00 Gb Free Space \| 0.00% Space Free \| Partition Type: UDF Drive E: \| 232.83 Gb Total Space \| 25.02 Gb Free Space \| 10.75% Space Free \| Partition Type: FAT32 Drive F: \| 967.22 Mb Total Space \| 967.20 Mb Free Space \| 100.00% Space Free \| Partition Type: FAT G: Drive not present or media not loaded Drive H: \| 117.24 Mb Total Space \| 13.93 Mb Free Space \| 11.88% Space Free \| Partition Type: FAT I: Drive not present or media not loaded Computer Name: HOMEPC Current User Name: Mr j bloggs Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2009/10/22 20:54:04 \| 00,149,280 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe PRC - [2009/10/22 10:30:13 \| 00,521,216 \| ---- \| M] (OldTimer Tools) -- C:\Users\Mr j bloggs\Desktop\OTL.exe PRC - [2009/09/17 13:29:04 \| 00,645,328 \| ---- \| M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe PRC - [2009/09/16 09:22:08 \| 00,144,704 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe PRC - [2009/09/15 09:23:54 \| 00,894,136 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe PRC - [2009/08/19 15:37:40 \| 00,092,008 \| ---- \| M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe PRC - [2009/08/10 14:57:49 \| 00,107,832 \| ---- \| M] () -- C:\Windows\System32\PnkBstrB.exe PRC - [2009/07/18 03:12:12 \| 00,257,440 \| R--- \| M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10c.exe PRC - [2009/07/14 12:29:06 \| 00,215,584 \| ---- \| M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe PRC - [2009/07/14 11:28:00 \| 00,239,648 \| ---- \| M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2009/07/09 23:26:20 \| 00,865,832 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe PRC - [2009/07/08 10:54:34 \| 00,359,952 \| ---- \| M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe PRC - [2009/07/07 18:10:02 \| 02,482,848 \| ---- \| M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe PRC - [2009/04/27 10:39:50 \| 00,121,376 \| ---- \| M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe PRC - [2009/04/15 08:42:54 \| 00,186,912 \| ---- \| M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe PRC - [2009/04/15 08:42:52 \| 00,133,664 \| ---- \| M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe PRC - [2009/04/11 06:28:15 \| 00,247,296 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe PRC - [2009/04/11 06:28:08 \| 00,037,888 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe PRC - [2009/04/11 06:27:44 \| 00,636,080 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe PRC - [2009/04/11 06:27:39 \| 00,299,520 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\ieuser.exe PRC - [2009/04/11 06:27:36 \| 02,926,592 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE PRC - [2009/01/23 09:46:14 \| 00,203,280 \| ---- \| M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe PRC - [2008/04/04 13:59:17 \| 00,066,872 \| ---- \| M] () -- C:\Windows\System32\PnkBstrA.exe PRC - [2008/01/19 07:33:09 \| 00,125,952 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe PRC - [2008/01/19 07:33:09 \| 00,037,376 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe PRC - [2007/02/05 14:52:12 \| 00,849,280 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe ========== Win32 Services (SafeList) ========== SRV - [2009/09/16 10:23:32 \| 00,365,072 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand \| Stopped]) SRV - [2009/09/16 09:22:08 \| 00,144,704 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown \| Running]) SRV - [2009/09/16 08:28:38 \| 00,606,736 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [Disabled \| Stopped]) SRV - [2009/09/15 09:23:54 \| 00,894,136 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto \| Running]) SRV - [2009/08/19 15:37:40 \| 00,092,008 \| ---- \| M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService [Auto \| Running]) SRV - [2009/08/10 14:57:49 \| 00,107,832 \| ---- \| M] () -- C:\Windows\System32\PnkBstrB.exe -- (PnkBstrB [Auto \| Running]) SRV - [2009/07/14 12:29:06 \| 00,215,584 \| ---- \| M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto \| Running]) SRV - [2009/07/14 11:28:00 \| 00,239,648 \| ---- \| M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service [Auto \| Running]) SRV - [2009/07/09 23:26:20 \| 00,865,832 \| ---- \| M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto \| Running]) SRV - [2009/07/08 10:54:34 \| 00,359,952 \| ---- \| M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto \| Running]) SRV - [2009/07/07 18:10:02 \| 02,482,848 \| ---- \| M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto \| Running]) SRV - [2009/04/27 10:39:50 \| 00,121,376 \| ---- \| M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- (UpdateCenterService [Auto \| Running]) SRV - [2009/04/15 08:42:54 \| 00,186,912 \| ---- \| M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService [Auto \| Running]) SRV - [2009/04/11 06:28:25 \| 01,017,856 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto \| Running]) SRV - [2009/03/30 04:42:14 \| 00,066,368 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand \| Stopped]) SRV - [2009/02/18 18:39:20 \| 00,043,904 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand \| Stopped]) SRV - [2009/02/18 18:38:43 \| 00,129,880 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled \| Stopped]) SRV - [2009/02/18 18:38:42 \| 00,879,448 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown \| Stopped]) SRV - [2009/01/23 09:46:14 \| 00,203,280 \| ---- \| M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto \| Running]) SRV - [2008/04/04 13:59:17 \| 00,066,872 \| ---- \| M] () -- C:\Windows\System32\PnkBstrA.exe -- (PnkBstrA [Auto \| Running]) SRV - [2008/02/04 14:18:32 \| 00,504,104 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand \| Stopped]) SRV - [2008/01/19 07:38:24 \| 00,272,952 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto \| Stopped]) SRV - [2008/01/19 07:33:39 \| 00,896,512 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Disabled \| Stopped]) SRV - [2008/01/19 07:33:09 \| 00,292,352 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [Disabled \| Stopped]) SRV - [2008/01/15 02:40:04 \| 00,110,592 \| ---- \| M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled \| Stopped]) SRV - [2007/07/24 15:17:08 \| 00,229,376 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled \| Stopped]) SRV - [2007/01/19 11:54:14 \| 00,097,136 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand \| Stopped]) SRV - [2007/01/04 13:13:56 \| 00,240,408 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc [On_Demand \| Stopped]) SRV - [2006/11/02 12:35:29 \| 00,131,072 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [Disabled \| Stopped]) SRV - [2006/11/02 12:35:29 \| 00,013,312 \| ---- \| M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Disabled \| Stopped]) SRV - [2006/10/09 21:11:08 \| 00,724,992 \| ---- \| M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand \| Stopped]) SRV - [2005/04/03 23:41:10 \| 00,069,632 \| ---- \| M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand \| Stopped]) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = .local IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = .local IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\S-1-5-21-2380594860-1575461441-4214207244-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\S-1-5-21-2380594860-1575461441-4214207244-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = .local FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/01/30 13:46:24 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/08/30 11:17:25 \| 00,000,000 \| ---D \| M] O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat Pro 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat Pro 6.0\Acrobat\AcroIEFavClient.dll () O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll () O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll () O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat Pro 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat Pro 6.0\Acrobat\AcroIEFavClient.dll () O3 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation) O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\napinsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\..Trusted Domains: inetpsa.com ([portail] https in Trusted sites) O15 - HKU\S-1-5-21-2380594860-1575461441-4214207244-1000\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll () O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 21:43:36 \| 00,000,024 \| ---- \| M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2007/07/20 14:41:52 \| 00,000,049 \| R--- \| M] () - D:\autorun.inf -- [ UDF ] O32 - AutoRun File - [2009/10/20 11:14:42 \| 00,000,000 \| ---D \| M] - F:\autorun.inf -- [ FAT ] O32 - AutoRun File - [2009/02/02 15:14:58 \| 20,954,704 \| ---- \| M] () - H:\autobackupinternational.exe -- [ FAT ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found O35 - comfile [open] -- "%1" %* File not found O35 - exefile [open] -- "%1" %* File not found ========== Files/Folders - Created Within 14 Days ========== [2009/10/22 21:20:34 \| 00,000,000 \| ---D \| C] -- C:\ProgramData\Malwarebytes [2009/10/20 11:05:13 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Roaming\.clamwin [2009/10/16 15:05:44 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Roaming\Malwarebytes [2009/10/22 20:47:09 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Roaming\Sun [2009/10/16 16:39:49 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Roaming\SUPERAntiSpyware.com [2009/10/15 14:34:12 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Roaming\Uniblue [2009/10/20 10:27:17 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Local\Adobe [2009/10/24 11:31:40 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Local\Apple [2009/10/22 10:19:13 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Local\temp [2009/10/15 18:45:39 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\AppData\Local\Threat Expert [2009/10/22 21:29:59 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ESET [2009/10/22 20:53:58 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Java [2009/10/22 21:20:34 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Malwarebytes' Anti-Malware [2009/10/19 15:44:00 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Windows Installer Clean Up [2009/10/22 21:20:35 \| 00,038,224 \| ---- \| C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2009/10/22 21:20:34 \| 00,019,160 \| ---- \| C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2009/10/22 20:45:47 \| 04,045,528 \| ---- \| C] (Malwarebytes Corporation ) -- C:\Users\Mr j bloggs\Desktop\mbam-setup-post-clean.exe [2009/10/22 10:30:10 \| 00,521,216 \| ---- \| C] (OldTimer Tools) -- C:\Users\Mr j bloggs\Desktop\OTL.exe [2009/10/22 10:08:52 \| 00,000,000 \| ---D \| C] -- C:\thcbytes [2009/10/21 21:48:21 \| 00,212,480 \| ---- \| C] (SteelWerX) -- C:\Windows\SWXCACLS.exe [2009/10/21 21:48:21 \| 00,161,792 \| ---- \| C] (SteelWerX) -- C:\Windows\SWREG.exe [2009/10/21 21:48:21 \| 00,136,704 \| ---- \| C] (SteelWerX) -- C:\Windows\SWSC.exe [2009/10/21 21:48:21 \| 00,031,232 \| ---- \| C] (NirSoft) -- C:\Windows\NIRCMD.exe [2009/10/21 21:48:14 \| 00,000,000 \| ---D \| C] -- C:\Windows\ERDNT [2009/10/21 20:58:44 \| 00,000,000 \| ---D \| C] -- C:\Qoobox [2009/10/21 20:54:28 \| 00,000,000 \| ---D \| C] -- C:\Avenger [2009/10/21 20:28:25 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\Desktop\tools [2009/10/19 15:42:22 \| 00,000,000 \| ---D \| C] -- C:\WINSSLog [2009/10/19 09:21:11 \| 04,045,528 \| ---- \| C] (Malwarebytes Corporation ) -- C:\Users\Mr j bloggs\Desktop\zttoy.exe [2009/10/16 15:33:37 \| 00,000,000 \| ---D \| C] -- C:\Users\Mr j bloggs\Desktop\spyware tools [2009/10/16 11:04:42 \| 00,000,000 \| ---D \| C] -- C:\Windows\Downloaded Installations [2009/10/15 18:21:58 \| 34,102,304 \| ---- \| C] (PC Tools ) -- C:\Users\Mr j bloggs\Desktop\sdasetup_aff.exe [2009/10/15 14:23:16 \| 00,000,000 \| ---D \| C] -- C:\Windows\pss [2008/01/25 11:47:00 \| 00,217,088 \| ---- \| C] ( ) -- C:\Users\Mr j bloggs\AppData\Local\Interop.Microsoft.Office.Core.dll [2007/08/09 15:50:38 \| 00,016,384 \| ---- \| C] (Microsoft Corporation) -- C:\Users\Mr j bloggs\AppData\Local\stdole.dll ========== Files - Modified Within 14 Days ========== [2009/10/25 11:48:03 \| 00,033,354 \| ---- \| M] () -- C:\ProgramData\nvModes.dat [2009/10/25 11:48:02 \| 00,033,354 \| ---- \| M] () -- C:\ProgramData\nvModes.001 [2009/10/25 11:47:37 \| 00,003,792 \| -H-- \| M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2009/10/25 11:47:37 \| 00,003,792 \| -H-- \| M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2009/10/25 11:47:36 \| 00,000,006 \| -H-- \| M] () -- C:\Windows\tasks\SA.DAT [2009/10/25 11:47:33 \| 00,067,584 \| --S- \| M] () -- C:\Windows\bootstat.dat [2009/10/24 12:38:34 \| 00,014,011 \| ---- \| M] () -- C:\Windows\System32\Config.MPF [2009/10/24 12:38:24 \| 03,546,631 \| -H-- \| M] () -- C:\Users\Mr j bloggs\AppData\Local\IconCache.db [2009/10/24 11:40:01 \| 00,000,256 \| ---- \| M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job [2009/10/23 08:08:44 \| 00,716,194 \| ---- \| M] () -- C:\Windows\System32\PerfStringBackup.INI [2009/10/23 08:08:44 \| 00,622,516 \| ---- \| M] () -- C:\Windows\System32\perfh009.dat [2009/10/23 08:08:44 \| 00,107,948 \| ---- \| M] () -- C:\Windows\System32\perfc009.dat [2009/10/22 21:20:37 \| 00,000,818 \| ---- \| M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2009/10/22 20:45:28 \| 00,085,504 \| ---- \| M] () -- C:\Users\Mr j bloggs\Desktop\INHERIT.EXE [2009/10/22 20:04:38 \| 04,045,528 \| ---- \| M] (Malwarebytes Corporation ) -- C:\Users\Mr j bloggs\Desktop\mbam-setup-post-clean.exe [2009/10/22 13:22:10 \| 00,095,616 \| ---- \| M] (Sysinternals - www.sysinternals.com) -- C:\Windows\junction.exe [2009/10/22 13:21:02 \| 00,046,375 \| ---- \| M] () -- C:\Users\Mr j bloggs\Desktop\junction.zip [2009/10/22 10:30:13 \| 00,521,216 \| ---- \| M] (OldTimer Tools) -- C:\Users\Mr j bloggs\Desktop\OTL.exe [2009/10/22 10:17:47 \| 00,000,215 \| ---- \| M] () -- C:\Windows\system.ini [2009/10/21 21:59:18 \| 00,000,027 \| ---- \| M] () -- C:\Windows\System32\drivers\etc\hosts [2009/10/21 20:43:48 \| 00,724,954 \| ---- \| M] () -- C:\Users\Mr j bloggs\Desktop\screwyou.zip [2009/10/21 14:31:00 \| 03,351,153 \| R--- \| M] () -- C:\Users\Mr j bloggs\Desktop\thcbytes.exe [2009/10/21 14:29:06 \| 00,047,104 \| ---- \| M] () -- C:\Users\Mr j bloggs\Desktop\Win32kDiag.exe [2009/10/20 19:25:18 \| 00,002,509 \| ---- \| M] () -- C:\Users\Mr j bloggs\Desktop\Memeo AutoBackup.lnk [2009/10/20 10:37:12 \| 00,125,440 \| ---- \| M] () -- C:\Users\Mr j bloggs\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/10/19 09:21:25 \| 04,045,528 \| ---- \| M] (Malwarebytes Corporation ) -- C:\Users\Mr j bloggs\Desktop\zttoy.exe [2009/10/16 15:03:12 \| 00,201,030 \| ---- \| M] () -- C:\Users\Mr j bloggs\Desktop\lspfix.zip [2009/10/15 18:23:12 \| 34,102,304 \| ---- \| M] (PC Tools ) -- C:\Users\Mr j bloggs\Desktop\sdasetup_aff.exe ========== Files - No Company Name ========== [2009/10/22 21:20:37 \| 00,000,818 \| ---- \| C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2009/10/22 20:45:48 \| 00,085,504 \| ---- \| C] () -- C:\Users\Mr j bloggs\Desktop\INHERIT.EXE [2009/10/22 13:21:02 \| 00,046,375 \| ---- \| C] () -- C:\Users\Mr j bloggs\Desktop\junction.zip [2009/10/21 21:48:21 \| 00,236,544 \| ---- \| C] () -- C:\Windows\PEV.exe [2009/10/21 21:48:21 \| 00,098,816 \| ---- \| C] () -- C:\Windows\sed.exe [2009/10/21 21:48:21 \| 00,080,412 \| ---- \| C] () -- C:\Windows\grep.exe [2009/10/21 21:48:21 \| 00,068,096 \| ---- \| C] () -- C:\Windows\zip.exe [2009/10/21 20:57:07 \| 03,351,153 \| R--- \| C] () -- C:\Users\Mr j bloggs\Desktop\thcbytes.exe [2009/10/21 20:41:46 \| 00,724,954 \| ---- \| C] () -- C:\Users\Mr j bloggs\Desktop\screwyou.zip [2009/10/19 20:15:25 \| 00,047,104 \| ---- \| C] () -- C:\Users\Mr j bloggs\Desktop\Win32kDiag.exe [2009/10/19 17:01:50 \| 03,546,631 \| -H-- \| C] () -- C:\Users\Mr j bloggs\AppData\Local\IconCache.db [2009/10/16 15:03:10 \| 00,201,030 \| ---- \| C] () -- C:\Users\Mr j bloggs\Desktop\lspfix.zip [2009/08/07 18:51:34 \| 00,178,430 \| ---- \| C] () -- C:\Windows\System32\xlive.dll.cat [2009/07/26 18:34:40 \| 00,033,354 \| ---- \| C] () -- C:\ProgramData\nvModes.001 [2009/07/26 18:34:37 \| 00,033,354 \| ---- \| C] () -- C:\ProgramData\nvModes.dat [2009/06/19 13:43:39 \| 00,117,248 \| ---- \| C] () -- C:\Windows\System32\EhStorAuthn.dll [2009/05/25 21:27:54 \| 00,000,052 \| ---- \| C] () -- C:\Users\Mr j bloggs\AppData\Local\mm-device-08.ini [2009/03/05 05:54:58 \| 00,073,728 \| ---- \| C] () -- C:\Windows\System32\RtNicProp32.dll [2009/02/19 13:14:46 \| 00,015,872 \| ---- \| C] () -- C:\Windows\System32\drivers\bfturboh.sys [2008/11/07 14:57:08 \| 00,015,872 \| ---- \| C] () -- C:\Windows\System32\drivers\vburner.sys [2008/10/10 17:32:50 \| 00,006,416 \| ---- \| C] () -- C:\Windows\UN080325.INI [2008/10/10 17:32:38 \| 00,008,068 \| ---- \| C] () -- C:\Windows\UN020914.INI [2008/10/07 08:13:30 \| 00,197,912 \| ---- \| C] () -- C:\Windows\System32\physxcudart_20.dll [2008/10/07 08:13:22 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelSwedish.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelSpanish.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelPortugese.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelKorean.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelJapanese.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelGerman.dll [2008/10/07 08:13:20 \| 00,058,648 \| ---- \| C] () -- C:\Windows\System32\AgCPanelFrench.dll [2008/04/04 13:58:32 \| 00,022,328 \| ---- \| C] () -- C:\Windows\System32\drivers\PnkBstrK.sys [2008/02/28 14:30:08 \| 00,008,784 \| ---- \| C] () -- C:\Windows\System32\ractrlkeyhook.dll [2008/02/03 15:46:20 \| 00,000,319 \| ---- \| C] () -- C:\Windows\game.ini [2007/11/30 15:38:48 \| 00,022,328 \| ---- \| C] () -- C:\Users\Mr j bloggs\AppData\Roaming\PnkBstrK.sys [2007/04/11 13:26:40 \| 00,053,912 \| ---- \| C] () -- C:\Users\Mr j bloggs\AppData\Roaming\GDIPFONTCACHEV1.DAT [2007/03/18 21:31:00 \| 00,000,376 \| ---- \| C] () -- C:\Windows\ODBC.INI [2007/03/17 19:50:52 \| 00,125,440 \| ---- \| C] () -- C:\Users\Mr j bloggs\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2007/03/15 15:24:01 \| 00,053,912 \| ---- \| C] () -- C:\Users\Mr j bloggs\AppData\Local\GDIPFONTCACHEV1.DAT [2007/03/15 15:23:45 \| 00,001,356 \| ---- \| C] () -- C:\Users\Mr j bloggs\AppData\Local\d3d9caps.dat [2006/11/02 12:50:50 \| 00,000,174 \| -HS- \| C] () -- C:\Program Files\desktop.ini [2006/11/02 12:35:32 \| 00,005,632 \| ---- \| C] () -- C:\Windows\System32\sysprepMCE.dll [2006/11/02 10:23:31 \| 00,000,215 \| ---- \| C] () -- C:\Windows\system.ini [2006/11/02 10:23:31 \| 00,000,144 \| ---- \| C] () -- C:\Windows\win.ini [2006/11/02 07:40:29 \| 00,013,750 \| ---- \| C] () -- C:\Windows\System32\pacerprf.ini [2006/04/19 14:14:32 \| 00,015,498 \| ---- \| C] () -- C:\Windows\VX1000.ini [1999/01/27 12:39:06 \| 00,065,024 \| ---- \| C] () -- C:\Windows\System32\indounin.dll [1998/08/16 05:00:00 \| 00,004,096 \| ---- \| C] () -- C:\Windows\System32\sysres.dll [1997/06/13 06:56:08 \| 00,056,832 \| ---- \| C] () -- C:\Windows\System32\Iyvu9_32.dll ========== LOP Check ========== [2007/11/20 16:49:30 \| 00,000,000 \| ---D \| M] -- C:\Users\Default\AppData\Roaming [2006/11/02 12:37:34 \| 00,000,000 \| ---D \| M] -- C:\Users\Default\AppData\Roaming\Media Center Programs [2007/11/20 16:49:30 \| 00,000,000 \| ---D \| M] -- C:\Users\Default User\AppData\Roaming [2006/11/02 12:37:34 \| 00,000,000 \| ---D \| M] -- C:\Users\Default User\AppData\Roaming\Media Center Programs [2009/10/22 20:49:18 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming [2009/10/20 11:05:13 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\.clamwin [2009/01/21 14:20:54 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Ahead [2009/10/16 15:26:23 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Azureus [2009/10/01 16:16:21 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Bioshock [2009/08/10 17:00:50 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Command & Conquer 3 Tiberium Wars Demo [2009/01/24 12:34:25 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\GARMIN [2007/06/13 21:50:01 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Juniper Networks [2006/11/02 12:37:34 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Media Center Programs [2008/10/23 13:54:59 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Motive [2008/11/07 13:41:08 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\NCH Software [2008/11/07 13:46:23 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\NCH Swift Sound [2007/05/28 20:52:38 \| 00,000,000 \| RH-D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\SecuROM [2008/04/05 18:28:31 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\TomTom [2008/09/26 17:05:59 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Ubisoft [2009/10/15 14:34:12 \| 00,000,000 \| ---D \| M] -- C:\Users\Mr j bloggs\AppData\Roaming\Uniblue [2009/10/24 11:40:01 \| 00,000,256 \| ---- \| M] () -- C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job [2009/09/17 14:13:19 \| 00,000,350 \| ---- \| M] () -- C:\Windows\Tasks\McDefragTask.job [2009/04/03 13:30:40 \| 00,000,342 \| ---- \| M] () -- C:\Windows\Tasks\McQcTask.job [2009/10/25 11:47:36 \| 00,000,006 \| -H-- \| M] () -- C:\Windows\Tasks\SA.DAT [2009/10/24 12:38:35 \| 00,032,622 \| ---- \| M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 184 bytes -> C:\ProgramData\temp:DFC5A2B2 @Alternate Data Stream - 114 bytes -> C:\ProgramData\temp:A8ADE5D8 < End of report > >>>>>>>>>>>>>>>>>>>> Do I have a clean bill of health doctor???

thcbytes View Member Profile	Oct 25 2009, 09:35 AM Post #22
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Hello, QUOTE Do I have a clean bill of health doctor? The prognosis is good! Congratulations! You now appear clean! ******** Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!! ****** Are things running okay? Do you have any more questions? ****** Uninstall Combofix Press the Windows Key + R on your keyboard. Now copy & paste the green bolded text in the run-box and click OK. ComboFix /Uninstall <Notice the space between the "x" and "/".> The following will implement some very important cleanup procedures as well as reset System Restore points. ****** Run OTL again We will now remove the tools we used during this fix using OTL. Double click the OTL** icon to start the program. Then Click the big button. You will get a prompt saying "Being Cleanup Process". Please select Yes. Restart your computer when prompted. ******** Recommendations Below are some recommendations to lower your chances of (re)infection. Install an Anti-Spyware program, and update it regularly Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions. Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes. Keep Windows (and your other Microsoft software) up to date!** I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Windows Vista Click the "Start Menu" (or Windows Orb) Click "All Programs" Click "Windows Update" On the left, choose "Change Settings" Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked. Press OK and accept the UAC prompt. Note: You shouldn't need to check this checkbox every single time you update, only the first time. Click "Check for Updates" in the upper left corner. Follow the instructions to install the latest updates. Reboot and repeat the "Check for Updates" until there are no more critical updates to install Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date. Stay up to date! The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing . ******** System Slow? You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware. ****** Good luck & safe surfing, Regards, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators** I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

SDC0603 View Member Profile	Oct 25 2009, 12:55 PM Post #23
Member Group: Members Posts: 21 Joined: 16-October 09 Member No.: 390,899	First of all, thankyou soooo much for your help. It is really appreciated!!!! Some of your esteemed virtual colleagues suggest using a combination of spyware blaster and spyware guard, can you comment on this? Also, do I need to delete items from quarantine for MBAM, ESET, SAS, Spybot S&D or any other programmes i have used before? What happens to quarantine if/when I uninstall these programmes? I don't think I have any more questions, but I just need to check what I "should" have seen during the uninstall of combofix?? It started running with the small windowed box with green progress bar, then not long afterwards it said combofix uninstalled! I clicked OK, then a second or so later, a vista box popped up stating explorer has stopped working, then check for solutions online, etc, etc. Nothing else happened after explorer restarted. Was the quick uninstallation of combofix all that should have happened?? Your instructions seem to suggest not. i.e. should system restore have started?? Any ideas before I progress with running OTL cleanup? Thanks..........

thcbytes View Member Profile	Oct 25 2009, 03:36 PM Post #24
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Your welcome. QUOTE Combination of spyware blaster and spyware guard Personally I think it is a bit heavy on the resources. You greatest protection is safe surfing and safe internet practices along with an antivirus, antispyware, firewall and an updated computer. ========== QUOTE Also, do I need to delete items from quarantine for MBAM, ESET, SAS, Spybot S&D or any other programmes i have used before? What happens to quarantine if/when I uninstall these programmes? No need. If you uninstall they are purged. ========== QUOTE Was the quick uninstallation of combofix all that should have happened?? Your instructions seem to suggest not. i.e. should system restore have started?? Please make sure you ran it as Admin. Yes much happens behind the scenes. All you should see is a pop up that Combofix uninstalled successfully. Kind regards, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

SDC0603 View Member Profile	Oct 25 2009, 05:52 PM Post #25
Member Group: Members Posts: 21 Joined: 16-October 09 Member No.: 390,899	OK, not convinced everything ran properly....... I was logged in as admin, but couldn't right click on the "run" command to "run as admin"...... I have since used McAfee security centre's utility to clean my PC of windows rubbish, finding lots of temp files, and no less than 7 system restores, so deleted all of them.... Also ran ATF cleaner to do the same. My PC seems to be running OK now , but one final comment is that my hard drive is now going nuts! It is making lots of noise and the activity light is strobing heavily. Task manager and process explorer don't show large CPU activity of any process (apart from system idle!), so i'm slightly confused. Any ideas on what this could be? On a separate note (not specifically for this forum - but you seem very knowledgable!), can you comment on Windows readyboost? Is it any good?? I have a fast 1GB flash drive (corsair) which readyboost seems to like. Does this add any benefit, or just clog system resources. Surely it has to be quicker than hard drive paging???? Thanks again

thcbytes View Member Profile	Oct 25 2009, 08:56 PM Post #26
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Try it like this........ Select Select All Programs Select Accessories Right click Command Prompt and choose Run as administrator If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password. Press the Windows Key + R on your keyboard. Now copy & paste the green bolded text in the run-box and click OK. ComboFix /Uninstall <Notice the space between the "x" and "/".> The following will implement some very important cleanup procedures as well as reset System Restore points. Exit the Command Prompt window. ========== QUOTE My hard drive is now going nuts! It is making lots of noise and the activity light is strobing heavily It has been a challenging few days for that computer of yours. It should be alright. ========== QUOTE Can you comment on Windows readyboost I have limited knowledge outside of computer security. But my understanding is that it is a nice source of "ram" that is low on the resources outside of cracking open your computer and adding it. Kind regards, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

SDC0603 View Member Profile	Oct 26 2009, 10:44 AM Post #27
Member Group: Members Posts: 21 Joined: 16-October 09 Member No.: 390,899	Hi, Tried to uninstall combofix again, and got an error message when running the script, so I guess the original uninstall worked OK (as it no longer exists). One new thing to raise: I now have two desktop.ini files on my desktop, with modified dates in 2007/2008. Would these be left over from the malware uninstalls? Can I just delete them? Further to the spyware programmes discussion, can you advise which ones would be good that offer free realtime protection against spyware? MBAM is a great manual scanning programme, and SAS's full features (inc real time protection) are not enabed on the free version. I was hoping for something which would detect and block as soon as something tries to install/run. Once the above is covered, I will leave you to it Thankyou once again for your help

thcbytes View Member Profile	Oct 26 2009, 02:59 PM Post #28
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	QUOTE I guess the original uninstall worked OK ========== QUOTE I now have two desktop.ini files on my desktop Harmless. Delete them if you like. Read this first. http://www.ofzenandcomputing.com/zanswers/797 ========== QUOTE I was hoping for something which would detect and block as soon as something tries to install/run. Spywareblaster - prevents spyware from being installed on your PC. - Tutorial: http://www.bleepingcomputer.com/tutorials/tutorial49.html Spywareguard - provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. - Tutorial: http://www.bleepingcomputer.com/tutorials/tutorial50.html Again as I said earlier...bit heavy on the resources. Kind regards, ~t -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

thcbytes View Member Profile	Oct 29 2009, 06:55 AM Post #29
Bleepin' Malware Removal Teacher Group: Malware Response Instructor Posts: 7,338 Joined: 9-December 08 Member No.: 267,653	Since this topic appears to be resolved, I will now close it. If you need this topic re-opened please send me a PM. Everyone else, please start a new topic. -------------------- Proud member - Unified Network of Instructors and Trained Eliminators I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost! http://organdonor.gov/donor/index.htm

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides