Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Internet Browsing + Random Pop Ups (menu Boxes, Internet Sites)


  • Please log in to reply
10 replies to this topic

#1 P'cisT

P'cisT

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 06 October 2007 - 08:49 PM

If someone could help, I would be all so appreciative.

My computer seems to be infected. Internet browsing is very sluggish, I get random menu box pop ups (eg. "A friend you recently added on MySpace has a crush on you...") as well as internet site pop ups.

I have run VundoFix and it was finds a few files and prompts me to reboot so it can delete them, but they always reappear next time under a different filename.

A copy of my logfile is attached but please let me know if further information is needed.

Kevin




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:56 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin Tran\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\tppqvvna.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinClicker.exe] "C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120654358156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.portplus.com/apps/popupx2/frames/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O22 - SharedTaskScheduler: Windows Update - {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} - C:\WINDOWS\system32\ioctrl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9473 bytes

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 14 October 2007 - 03:59 PM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 P'cisT

P'cisT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 14 October 2007 - 09:42 PM

My ComboFix log is as follows. I should also note a many times during the program run, a error message, "Freeware implementation of REG.EXE has encountered a problem and needs to close" would pop up.


ComboFix 07-10-12.4 - Kevin 2007-10-15 12:07:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.110 [GMT 10:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dcusgkjr.dll
C:\WINDOWS\system32\djwufuod.ini
C:\WINDOWS\system32\doufuwjd.dll
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\famlbqwy.ini
C:\WINDOWS\system32\fwnvkfyr.dll
C:\WINDOWS\system32\gvermtcs.ini
C:\WINDOWS\system32\inlgwqws.ini
C:\WINDOWS\system32\ioyxawts.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\mwdhrmjq.dll
C:\WINDOWS\system32\nfjfrmcu.ini
C:\WINDOWS\system32\njjvnyaa.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\PMKJK.DLL
C:\WINDOWS\system32\qjmrhdwm.ini
C:\WINDOWS\system32\rpnkrevf.dll
C:\WINDOWS\system32\rpnrjlur.dll
C:\WINDOWS\system32\ryfkvnwf.ini
C:\WINDOWS\system32\sctmrevg.dll
C:\WINDOWS\system32\stwaxyoi.ini
C:\WINDOWS\system32\swqwglni.dll
C:\WINDOWS\system32\ucmrfjfn.dll
C:\WINDOWS\system32\udxeghwv.dll
C:\WINDOWS\system32\uemhcclx.ini
C:\WINDOWS\system32\utqybfwy.dll
C:\WINDOWS\system32\vejdvyqp.dll
C:\WINDOWS\system32\vvdgyfjy.dll
C:\WINDOWS\system32\wtkuvsob.dll
C:\WINDOWS\system32\xlcchmeu.dll
C:\WINDOWS\system32\ydawhmcm.dll
C:\WINDOWS\system32\yjfygdvv.ini
C:\WINDOWS\system32\ywfbyqtu.ini
C:\WINDOWS\system32\ywqblmaf.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))))))))
.

2007-10-15 12:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 11:59 389,184 --a------ C:\WINDOWS\system32\ssnnilwv.exe
2007-10-14 10:38 389,184 --a------ C:\WINDOWS\system32\mrqkewtk.exe
2007-10-13 22:45 389,184 --a------ C:\WINDOWS\system32\uajwvdfy.exe
2007-10-13 22:41 389,184 --a------ C:\WINDOWS\system32\hwledufr.exe
2007-10-13 22:21 389,184 --a------ C:\WINDOWS\system32\nwpwjwly.exe
2007-10-13 21:52 389,184 --a------ C:\WINDOWS\system32\rdoyibmk.exe
2007-10-13 16:54 389,184 --a------ C:\WINDOWS\system32\yggtjdeg.exe
2007-10-13 16:27 389,184 --a------ C:\WINDOWS\system32\bstlnhjy.exe
2007-10-13 16:20 389,184 --a------ C:\WINDOWS\system32\npsgofwy.exe
2007-10-13 14:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-13 14:11 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\SUPERAntiSpyware.com
2007-10-13 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 14:09 339,968 --------- C:\WINDOWS\system32\tywjnbdl.dll
2007-10-13 14:08 389,184 --a------ C:\WINDOWS\system32\scgriust.exe
2007-10-13 13:28 339,968 --------- C:\WINDOWS\system32\yhfgdplg.dll
2007-10-13 13:27 389,184 --a------ C:\WINDOWS\system32\yklaugsu.exe
2007-10-13 13:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-13 12:22 389,184 --a------ C:\WINDOWS\system32\plwtours.exe
2007-10-13 12:22 339,968 --a------ C:\WINDOWS\system32\kpdggarl.dll
2007-10-13 12:06 339,968 --a------ C:\WINDOWS\system32\retwxjfb.dll
2007-10-13 12:05 389,184 --a------ C:\WINDOWS\system32\wlvoycwd.exe
2007-10-11 21:56 7,680 --a--c--- C:\WINDOWS\system32\DllCache\migregdb.exe
2007-10-11 21:55 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-11 20:27 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-10-11 20:27 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-10-11 20:27 169,984 --a--c--- C:\WINDOWS\system32\DllCache\iisui.dll
2007-10-11 20:27 19,968 --a--c--- C:\WINDOWS\system32\DllCache\inetsloc.dll
2007-10-11 20:27 14,336 --a--c--- C:\WINDOWS\system32\DllCache\iisreset.exe
2007-10-11 20:27 7,680 --a--c--- C:\WINDOWS\system32\DllCache\inetmgr.exe
2007-10-11 20:27 6,144 --a--c--- C:\WINDOWS\system32\DllCache\ftpsapi2.dll
2007-10-11 20:27 5,632 --a--c--- C:\WINDOWS\system32\DllCache\iisrstap.dll
2007-10-11 20:26 85,376 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-10-11 20:26 19,328 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-10-11 20:26 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-10-11 20:26 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-10-11 20:23 520,192 --a--c--- C:\WINDOWS\system32\DllCache\wmpvis.dll
2007-10-11 20:23 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-10-11 20:23 319,551 --a--c--- C:\WINDOWS\system32\DllCache\wmmres.dll
2007-10-11 20:23 163,906 --a--c--- C:\WINDOWS\system32\DllCache\wmmutil.dll
2007-10-11 20:23 110,657 --a--c--- C:\WINDOWS\system32\DllCache\wmmfilt.dll
2007-10-11 20:23 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-10-11 20:19 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-11 20:19 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-10-11 20:19 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-11 20:18 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-10-11 20:17 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-10-11 20:17 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-10-06 17:30 <DIR> d-------- C:\VundoFix Backups
2007-10-05 23:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-28 20:55 <DIR> d-------- C:\WINDOWS\Media
2007-09-21 15:10 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-09-21 15:10 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-21 15:10 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-21 10:43 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-09-19 20:53 73,984 -ra------ C:\WINDOWS\system32\drivers\ulsata.sys
2007-09-19 20:53 24,576 -ra------ C:\WINDOWS\system32\ptipbm.dll
2007-09-18 22:51 <DIR> d-------- C:\Program Files\ASUS
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 02:06 --------- d-----w C:\Program Files\GetRight
2007-10-14 15:45 --------- d-----w C:\Program Files\EMIMS
2007-10-14 13:15 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2007-10-13 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 08:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-11 15:23 --------- d-----w C:\Documents and Settings\Kevin\Application Data\MyPhoneExplorer
2007-10-11 12:40 --------- d-----w C:\Program Files\MSN Messenger
2007-10-11 11:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-06 11:22 --------- d-----w C:\Program Files\Java
2007-10-05 13:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-05 00:56 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-04 01:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 01:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 01:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 01:28 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 01:28 --------- d-----w C:\Program Files\Symantec
2007-09-21 05:08 --------- d-----w C:\Program Files\ffdshow
2007-09-21 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 13:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 04:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 04:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 04:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 04:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 04:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 04:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-11 13:56 --------- d-----w C:\Program Files\MSECache
2007-09-10 14:20 --------- d-----w C:\Program Files\Winamp
2007-08-25 14:10 --------- d-----w C:\Program Files\ICQ
2007-08-13 08:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 08:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 08:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 08:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 08:42 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-08-13 08:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 08:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 08:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 08:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 08:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2005-08-26 08:28 23,728 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2005-04-22 11:34 107 ----a-w C:\Documents and Settings\Personal\MSN_ICQ.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-16 17:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 06:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"WinClicker.exe"="C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" [2005-12-14 11:59]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2005-04-29 20:27]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-05 21:35:36]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [2006-10-24 16:44:27]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"= C:\WINDOWS\SYSTEM32\IOCTRL.DLL [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cusnclal]
cusnclal.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\difourkl]
difourkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gdpicgsl]
gdpicgsl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ifrqephl]
ifrqephl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\luvmygcd]
luvmygcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoqbadje]
qoqbadje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tgvlctbk]
tgvlctbk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-08-14 20:01 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xczuujmk]
xczuujmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yjwpgrwj]
yjwpgrwj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvxcnxqn]
yvxcnxqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447908aa-1ade-11db-8d33-00112fe97d8d}]
AutoRun\command - F:\~tmp0.1st.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64709cbf-676e-11dc-92a3-00112fe97d8d}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 12:35:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15 12:38:14 - machine was rebooted
.
--- E O F ---

#4 P'cisT

P'cisT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 14 October 2007 - 09:45 PM

and here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:27 PM, on 15/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinClicker.exe] "C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120654358156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.portplus.com/apps/popupx2/frames/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cusnclal - cusnclal.dll (file missing)
O20 - Winlogon Notify: difourkl - difourkl.dll (file missing)
O20 - Winlogon Notify: gdpicgsl - gdpicgsl.dll (file missing)
O20 - Winlogon Notify: ifrqephl - ifrqephl.dll (file missing)
O20 - Winlogon Notify: luvmygcd - luvmygcd.dll (file missing)
O20 - Winlogon Notify: qoqbadje - qoqbadje.dll (file missing)
O20 - Winlogon Notify: tgvlctbk - tgvlctbk.dll (file missing)
O20 - Winlogon Notify: xczuujmk - xczuujmk.dll (file missing)
O20 - Winlogon Notify: yjwpgrwj - yjwpgrwj.dll (file missing)
O20 - Winlogon Notify: yvxcnxqn - yvxcnxqn.dll (file missing)
O22 - SharedTaskScheduler: Windows Update - {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} - [SASInprocServer32] (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8172 bytes

#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 15 October 2007 - 12:53 PM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    File::
    C:\WINDOWS\system32\ssnnilwv.exe
    C:\WINDOWS\system32\mrqkewtk.exe
    C:\WINDOWS\system32\uajwvdfy.exe
    C:\WINDOWS\system32\hwledufr.exe
    C:\WINDOWS\system32\nwpwjwly.exe
    C:\WINDOWS\system32\rdoyibmk.exe
    C:\WINDOWS\system32\yggtjdeg.exe
    C:\WINDOWS\system32\bstlnhjy.exe
    C:\WINDOWS\system32\npsgofwy.exe
    C:\WINDOWS\system32\tywjnbdl.dll
    C:\WINDOWS\system32\scgriust.exe
    C:\WINDOWS\system32\yhfgdplg.dll
    C:\WINDOWS\system32\yklaugsu.exe
    C:\WINDOWS\system32\plwtours.exe
    C:\WINDOWS\system32\kpdggarl.dll
    C:\WINDOWS\system32\retwxjfb.dll
    C:\WINDOWS\system32\wlvoycwd.exe
    C:\WINDOWS\SYSTEM32\IOCTRL.DLL
    Folder::
    C:\VundoFix Backups
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cusnclal]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\difourkl]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gdpicgsl]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ifrqephl]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\luvmygcd]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoqbadje]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tgvlctbk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xczuujmk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yjwpgrwj]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvxcnxqn]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447908aa-1ade-11db-8d33-00112fe97d8d}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64709cbf-676e-11dc-92a3-00112fe97d8d}]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#6 P'cisT

P'cisT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 15 October 2007 - 08:43 PM

Here we go:

ComboFix 07-10-12.4 - Kevin 2007-10-16 11:25:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT 10:00]
Running from: C:\Documents and Settings\Kevin Tran\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin Tran\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\bstlnhjy.exe
C:\WINDOWS\system32\hwledufr.exe
C:\WINDOWS\SYSTEM32\IOCTRL.DLL
C:\WINDOWS\system32\kpdggarl.dll
C:\WINDOWS\system32\mrqkewtk.exe
C:\WINDOWS\system32\npsgofwy.exe
C:\WINDOWS\system32\nwpwjwly.exe
C:\WINDOWS\system32\plwtours.exe
C:\WINDOWS\system32\rdoyibmk.exe
C:\WINDOWS\system32\retwxjfb.dll
C:\WINDOWS\system32\scgriust.exe
C:\WINDOWS\system32\ssnnilwv.exe
C:\WINDOWS\system32\tywjnbdl.dll
C:\WINDOWS\system32\uajwvdfy.exe
C:\WINDOWS\system32\wlvoycwd.exe
C:\WINDOWS\system32\yggtjdeg.exe
C:\WINDOWS\system32\yhfgdplg.dll
C:\WINDOWS\system32\yklaugsu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\anvvqppt.ini.bad
C:\VundoFix Backups\boqkbced.dll.bad
C:\VundoFix Backups\bvbmblwm.ini.bad
C:\VundoFix Backups\decbkqob.ini.bad
C:\VundoFix Backups\didqmgfn.ini.bad
C:\VundoFix Backups\efodyymi.dll.bad
C:\VundoFix Backups\fverknpr.ini.bad
C:\VundoFix Backups\gfmkbreo.dll.bad
C:\VundoFix Backups\goclajxb.dll.bad
C:\VundoFix Backups\jclfrncl.dll.bad
C:\VundoFix Backups\jwpkjmtw.dll.bad
C:\VundoFix Backups\lxebautn.dll.bad
C:\VundoFix Backups\mwlbmbvb.dll.bad
C:\VundoFix Backups\nfgmqdid.dll.bad
C:\VundoFix Backups\ocxjcuho.dll.bad
C:\VundoFix Backups\pwndijsv.ini.bad
C:\VundoFix Backups\qbdfkfuh.ini.bad
C:\VundoFix Backups\rjeldrev.dll.bad
C:\VundoFix Backups\rpnkrevf.dll.bad
C:\VundoFix Backups\sapstjuu.dll.bad
C:\VundoFix Backups\tppqvvna.dll.bad
C:\VundoFix Backups\uujtspas.ini.bad
C:\VundoFix Backups\vejdvyqp.dll.bad
C:\VundoFix Backups\vsjidnwp.dll.bad
C:\VundoFix Backups\wgpbkvjh.dll.bad
C:\VundoFix Backups\yhfgdplg.dll.bad
C:\WINDOWS\system32\bstlnhjy.exe
C:\WINDOWS\system32\hwledufr.exe
C:\WINDOWS\system32\kpdggarl.dll
C:\WINDOWS\system32\mrqkewtk.exe
C:\WINDOWS\system32\npsgofwy.exe
C:\WINDOWS\system32\nwpwjwly.exe
C:\WINDOWS\system32\plwtours.exe
C:\WINDOWS\system32\rdoyibmk.exe
C:\WINDOWS\system32\retwxjfb.dll
C:\WINDOWS\system32\scgriust.exe
C:\WINDOWS\system32\ssnnilwv.exe
C:\WINDOWS\system32\tywjnbdl.dll
C:\WINDOWS\system32\uajwvdfy.exe
C:\WINDOWS\system32\wlvoycwd.exe
C:\WINDOWS\system32\yggtjdeg.exe
C:\WINDOWS\system32\yhfgdplg.dll
C:\WINDOWS\system32\yklaugsu.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-15 12:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 14:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-13 14:11 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\SUPERAntiSpyware.com
2007-10-13 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 13:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-11 21:56 7,680 --a--c--- C:\WINDOWS\system32\DllCache\migregdb.exe
2007-10-11 21:55 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-11 20:27 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-10-11 20:27 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-10-11 20:27 169,984 --a--c--- C:\WINDOWS\system32\DllCache\iisui.dll
2007-10-11 20:27 19,968 --a--c--- C:\WINDOWS\system32\DllCache\inetsloc.dll
2007-10-11 20:27 14,336 --a--c--- C:\WINDOWS\system32\DllCache\iisreset.exe
2007-10-11 20:27 7,680 --a--c--- C:\WINDOWS\system32\DllCache\inetmgr.exe
2007-10-11 20:27 6,144 --a--c--- C:\WINDOWS\system32\DllCache\ftpsapi2.dll
2007-10-11 20:27 5,632 --a--c--- C:\WINDOWS\system32\DllCache\iisrstap.dll
2007-10-11 20:26 85,376 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-10-11 20:26 19,328 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-10-11 20:26 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-10-11 20:26 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-10-11 20:23 520,192 --a--c--- C:\WINDOWS\system32\DllCache\wmpvis.dll
2007-10-11 20:23 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-10-11 20:23 319,551 --a--c--- C:\WINDOWS\system32\DllCache\wmmres.dll
2007-10-11 20:23 163,906 --a--c--- C:\WINDOWS\system32\DllCache\wmmutil.dll
2007-10-11 20:23 110,657 --a--c--- C:\WINDOWS\system32\DllCache\wmmfilt.dll
2007-10-11 20:23 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-10-11 20:19 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-10-11 20:19 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-10-11 20:19 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-11 20:18 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-10-11 20:17 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-10-11 20:17 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-10-05 23:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-28 20:55 <DIR> d-------- C:\WINDOWS\Media
2007-09-21 15:10 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-09-21 15:10 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-21 15:10 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-21 10:43 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-09-19 20:53 73,984 -ra------ C:\WINDOWS\system32\drivers\ulsata.sys
2007-09-19 20:53 24,576 -ra------ C:\WINDOWS\system32\ptipbm.dll
2007-09-18 22:51 <DIR> d-------- C:\Program Files\ASUS
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 15:40 --------- d-----w C:\Program Files\EMIMS
2007-10-15 11:25 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2007-10-15 04:24 --------- d-----w C:\Program Files\GetRight
2007-10-13 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 08:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-11 15:23 --------- d-----w C:\Documents and Settings\Kevin\Application Data\MyPhoneExplorer
2007-10-11 12:40 --------- d-----w C:\Program Files\MSN Messenger
2007-10-11 11:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-06 11:22 --------- d-----w C:\Program Files\Java
2007-10-05 13:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-05 00:56 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-04 01:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 01:28 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-04 01:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 01:28 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 01:28 --------- d-----w C:\Program Files\Symantec
2007-09-21 05:08 --------- d-----w C:\Program Files\ffdshow
2007-09-21 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 13:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 04:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 04:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 04:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 04:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 04:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 04:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-11 13:56 --------- d-----w C:\Program Files\MSECache
2007-09-10 14:20 --------- d-----w C:\Program Files\Winamp
2007-08-25 14:10 --------- d-----w C:\Program Files\ICQ
2007-08-13 08:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 08:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 08:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 08:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 08:42 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-08-13 08:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 08:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 08:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 08:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 08:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2005-08-26 08:28 23,728 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2005-04-22 11:34 107 ----a-w C:\Documents and Settings\Personal\MSN_ICQ.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-16 17:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 06:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"WinClicker.exe"="C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" [2005-12-14 11:59]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2005-04-29 20:27]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-05 21:35:36]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [2006-10-24 16:44:27]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-08-14 20:01 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 11:30:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 11:32:47 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-15 12:38
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:41 AM, on 16/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinClicker.exe] "C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120654358156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.portplus.com/apps/popupx2/frames/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7420 bytes



Everything does feel a lot better now so it seems all the bugs might be gone now...

Edited by P'cisT, 15 October 2007 - 08:44 PM.


#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 16 October 2007 - 11:24 AM

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log


#8 P'cisT

P'cisT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 16 October 2007 - 09:28 PM

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2595 (20071016)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=ee3bb84a1adb034fb5eeeee764a19a43
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-10-17 01:29:09
# local_time=2007-10-17 11:29:09 (+1000, AUS Eastern Standard Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=302381
# found=21
# scan_time=4626
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\1\521e0601-32faf9bd Java/ClassLoader.Dummy.D trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\1\521e0601-32faf9bd »ZIP »Dummy.class Java/ClassLoader.Dummy.D trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\57\5319c679-61823567 Java/Exploit.Bytverify trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\57\5319c679-61823567 »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\57\5319c679-61823567 »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-ee688bf-492a864b.zip Java/ClassLoader.Dummy.D trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-ee688bf-492a864b.zip »ZIP »Dummy.class Java/ClassLoader.Dummy.D trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1109b54b-5260cabe.zip Java/Exploit.Bytverify trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1109b54b-5260cabe.zip »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1109b54b-5260cabe.zip »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Kevin\Desktop\backups\backup-20071007-105050-582.dll Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\efodyymi.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\jclfrncl.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\jwpkjmtw.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\lxebautn.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\ocxjcuho.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\vejdvyqp.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\VundoFix Backups\wgpbkvjh.dll.bad.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\vejdvyqp.dll.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\wtkuvsob.dll.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\ydawhmcm.dll.vir Win32/BHO.NAY trojan (unable to clean - deleted) 00000000000000000000000000000000






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:12 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinClicker.exe] "C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120654358156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.portplus.com/apps/popupx2/frames/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7924 bytes

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 17 October 2007 - 01:21 PM

Hows it running now?

#10 P'cisT

P'cisT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 17 October 2007 - 08:48 PM

It's running well actually. I'd say perfect.

Thanks a lot for your help. :thumbsup:

#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 18 October 2007 - 10:56 AM

Delete combofix.exe from your desktop & delete the C:\qoobox\ folder

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users