Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Websites Redirect


  • Please log in to reply
12 replies to this topic

#1 vspydir

vspydir

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 23 October 2007 - 02:19 PM

HI. i'm getting REDIRECTED TO DIFFERENT WEBSITES, ALL THE TIME.
I've scanned computer using adware, spybot, avira anti-virus, still can't get rid of it.

thank you for your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:21 PM, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\Firefox.exe
C:\Program Files\hiJACKTHIS\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {561713B1-52F3-4481-898E-7E22CD9773B2} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...145/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{0174DFD8-7470-4451-83BB-841D136C4AC2}: NameServer = 192.168.0.1,192.168.0.2
O20 - AppInit_DLLs: ???????????????
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: md5hsh - C:\WINDOWS\SYSTEM32\md5hsh.dll
O21 - SSODL: CblIroyEZUX - {E00A244F-4AA0-8EE5-A9E4-66CEB99B14F9} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows DateTime Service (Win32Date) - Unknown owner - C:\WINDOWS\Wintime.exe (file missing)

--
End of file - 4653 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 11:06 AM

Hi vspydir and Welcome to the Bleeping Computer!

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

After posting those logs,Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal

Posted 25 October 2007 - 11:12 AM

Sorry

Please follow Cretemonster instrucions.

Edited by lusitano, 25 October 2007 - 12:07 PM.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 vspydir

vspydir
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 25 October 2007 - 02:49 PM

Just Wondering was the spyware on my computer able to redirect passwords from websites? Like Ebay, Paypal.
i never just links, i've always typed in the websites address, manually.

Thank you for your help!

--------------------------------


ComboFix 07-10-23.2 - XP64 2007-10-25 15:43:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1593 [GMT -4:00]
Running from: C:\DOWNLOADS\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\NetworkService\Application Data\Microsoft\25319.dat
C:\Program Files\e-zshopper
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\kdbza.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-25 15:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 14:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-21 12:19 23 --ahs---- C:\WINDOWS\system32\debfddb_r.dll
2007-10-21 12:18 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-10-21 12:13 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-20 18:36 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-20 18:36 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-20 18:36 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-20 18:36 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-20 18:36 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-20 18:36 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-20 18:36 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-20 18:36 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-20 17:25 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-10-20 17:25 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-20 14:43 <DIR> d-------- C:\Documents and Settings\XP64\Application Data\GetRightToGo
2007-10-19 18:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-19 17:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-19 17:56 <DIR> d-------- C:\Documents and Settings\XP64\Application Data\SUPERAntiSpyware.com
2007-10-18 19:37 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-18 19:37 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-12 09:53 0 --a------ C:\WINDOWS\system32\ignoredomainsbase.bin
2007-10-12 09:49 <DIR> d-------- C:\Program Files\AntispyStorm
2007-10-12 09:41 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-12 09:39 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-12 09:37 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-12 09:16 6,656 --a------ C:\WINDOWS\system32\md5hsh.dll
2007-10-12 09:16 2,032 --a------ C:\WINDOWS\system32\nvnapi.sys
2007-10-11 18:41 9,741 --a------ C:\WINDOWS\system32\rt27.exe
2007-09-29 20:36 <DIR> d-------- C:\Documents and Settings\XP64\Application Data\CyberLink
2007-09-29 20:34 <DIR> d-------- C:\Program Files\Common Files\ATI
2007-09-29 20:34 <DIR> d-------- C:\Program Files\ATI Multimedia
2007-09-29 20:34 257,872 --a------ C:\WINDOWS\system32\drivers\atirwvd.sys
2007-09-29 20:34 9,091 --a------ C:\WINDOWS\system32\drivers\atirwrf.sys
2007-09-29 20:32 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2007-09-29 20:32 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-09-29 20:32 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-09-29 20:31 <DIR> d-------- C:\Program Files\CyberLink
2007-09-29 20:31 <DIR> d-------- C:\Program Files\ATI
2007-09-29 20:31 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-09-29 20:31 1,047,552 --------- C:\WINDOWS\system32\MFC71u.dll
2007-09-29 20:31 89,088 --------- C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 20:12 --------- d-----w C:\Program Files\AntiVir PersonalEdition Premium
2007-10-21 16:51 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-20 17:11 --------- d-----w C:\Documents and Settings\XP64\Application Data\uTorrent
2007-10-19 21:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 16:41 --------- d-----w C:\Program Files\uTorrent
2007-10-14 12:13 --------- d-----w C:\Program Files\SpeedFan
2007-10-01 20:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-30 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 00:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-11 05:50 --------- d-----w C:\Documents and Settings\XP64\Application Data\Media Player Classic
2007-09-11 05:30 --------- d-----w C:\Program Files\Lavasoft
2007-09-11 05:29 --------- d-----w C:\Program Files\CCleaner
2007-09-11 04:53 --------- d-----w C:\Program Files\Webroot
2007-09-11 04:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-11 04:52 --------- d-----w C:\Documents and Settings\XP64\Application Data\Webroot
2007-09-11 04:20 --------- d-----w C:\Program Files\DivX
2007-09-07 06:03 --------- d-----w C:\Documents and Settings\XP64\Application Data\vlc
2007-09-05 20:42 --------- d-----w C:\Program Files\VideoLAN
2007-09-05 20:41 --------- d-----w C:\Program Files\QuickTime Alternative
2007-09-05 20:40 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-05 19:25 --------- d-----w C:\Program Files\Shareaza
2007-08-29 20:00 --------- d-----w C:\Program Files\IZArc
2007-08-29 20:00 --------- d-----w C:\Program Files\Foxit Software
2007-08-29 19:36 --------- d-----w C:\Program Files\Java
2007-08-29 19:34 --------- d-----w C:\Program Files\Common Files\Java
2007-08-29 19:29 --------- d-----w C:\Program Files\Common Files\Nero
2007-08-29 19:29 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-29 19:28 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-29 19:28 --------- d-----w C:\Program Files\Ahead
2007-08-29 19:04 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-08-29 19:00 --------- d-----w C:\Program Files\Executive Software
2007-08-29 19:00 --------- d-----w C:\Documents and Settings\XP64\Application Data\Leadertech
2007-08-29 18:40 --------- d-----w C:\Program Files\ASUS
2007-08-23 03:59 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{561713B1-52F3-4481-898E-7E22CD9773B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\md5hsh]
md5hsh.dll 2007-10-12 09:16 6656 C:\WINDOWS\system32\md5hsh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=???????????????


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
"C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\AntiVir PersonalEdition Premium\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
"C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Rescue System]

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R1 nvnapi;NVidia XTLayer gateway;\??\C:\WINDOWS\system32\nvnapi.sys
S2 Win32Date;Windows DateTime Service;C:\WINDOWS\Wintime.exe
S4 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe"
S4 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 15:45:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 15:46:05 - machine was rebooted
.
--- E O F ---

-----------------------------
HICJACKTHI LOG ---------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:41 PM, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\Firefox.exe
C:\Program Files\hiJACKTHIS\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {561713B1-52F3-4481-898E-7E22CD9773B2} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...145/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{0174DFD8-7470-4451-83BB-841D136C4AC2}: NameServer = 192.168.0.1,192.168.0.2
O20 - AppInit_DLLs: ???????????????
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: md5hsh - C:\WINDOWS\SYSTEM32\md5hsh.dll
O21 - SSODL: CblIroyEZUX - {E00A244F-4AA0-8EE5-A9E4-66CEB99B14F9} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows DateTime Service (Win32Date) - Unknown owner - C:\WINDOWS\Wintime.exe (file missing)

--
End of file - 4276 bytes

Edited by vspydir, 25 October 2007 - 02:53 PM.


#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 05:11 PM

I think its entirely possible that all your logins and passwords were recorded,its allways best to change all these from a clean PC once you realize your infected.


Copy the text below to notepad and save it to the desktop with the name CFScript.txt

Driver::
nvnapi
Win32Date
File::
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\md5hsh.dll
C:\WINDOWS\system32\nvnapi.sys
C:\WINDOWS\system32\rt27.exe
C:\WINDOWS\Wintime.exe
Folder::
C:\WINDOWS\system32\ignoredomainsbase.bin
C:\Program Files\AntispyStorm
C:\WINDOWS\system32\acespy
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{561713B1-52F3-4481-898E-7E22CD9773B2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\md5hsh]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Rescue System]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

Edited by Cretemonster, 25 October 2007 - 05:12 PM.


#6 vspydir

vspydir
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 26 October 2007 - 12:19 PM

THANK YOU FOR YOUR HELP.
IT LOOKS LIKE EVERYTHING IS FIXED.


ComboFix 07-10-23.2 - XP64 2007-10-26 13:14:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1604 [GMT -4:00]
Running from: E:\Run Programs\ComboFix.exe
Command switches used :: E:\Run Programs\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\md5hsh.dll
C:\WINDOWS\system32\nvnapi.sys
C:\WINDOWS\system32\rt27.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\Wintime.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntispyStorm
C:\Program Files\AntispyStorm\config.dat
C:\Program Files\AntispyStorm\stat.bin
C:\Program Files\AntispyStorm\uninstall.log
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ignoredomainsbase.bin\
C:\WINDOWS\system32\md5hsh.dll
C:\WINDOWS\system32\nvnapi.sys
C:\WINDOWS\system32\rt27.exe
C:\WINDOWS\system32\stfv.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NVNAPI
-------\LEGACY_WIN32DATE
-------\nvnapi
-------\Win32Date


((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-25 15:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 14:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-21 12:19 23 --ahs---- C:\WINDOWS\system32\debfddb_r.dll
2007-10-21 12:18 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-10-21 12:13 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-20 18:36 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-20 18:36 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-20 18:36 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-20 18:36 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-20 18:36 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-20 18:36 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-20 18:36 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-20 18:36 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-20 17:25 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-10-20 17:25 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-20 14:43 <DIR> d-------- C:\Documents and Settings\XP64\Application Data\GetRightToGo
2007-10-19 18:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-19 17:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-19 17:56 <DIR> d-------- C:\Documents and Settings\XP64\Application Data\SUPERAntiSpyware.com
2007-10-18 19:37 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-10-18 19:37 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-12 09:53 0 --a------ C:\WINDOWS\system32\ignoredomainsbase.bin
2007-10-12 09:41 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-09-29 20:36 <DIR> d-------- C:\Documents and Settings\XP64\Application Data\CyberLink
2007-09-29 20:34 <DIR> d-------- C:\Program Files\Common Files\ATI
2007-09-29 20:34 <DIR> d-------- C:\Program Files\ATI Multimedia
2007-09-29 20:34 257,872 --a------ C:\WINDOWS\system32\drivers\atirwvd.sys
2007-09-29 20:34 9,091 --a------ C:\WINDOWS\system32\drivers\atirwrf.sys
2007-09-29 20:32 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2007-09-29 20:32 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-09-29 20:32 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-09-29 20:31 <DIR> d-------- C:\Program Files\CyberLink
2007-09-29 20:31 <DIR> d-------- C:\Program Files\ATI
2007-09-29 20:31 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-09-29 20:31 1,047,552 --------- C:\WINDOWS\system32\MFC71u.dll
2007-09-29 20:31 89,088 --------- C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 20:12 --------- d-----w C:\Program Files\AntiVir PersonalEdition Premium
2007-10-21 16:51 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-20 17:11 --------- d-----w C:\Documents and Settings\XP64\Application Data\uTorrent
2007-10-19 21:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 16:41 --------- d-----w C:\Program Files\uTorrent
2007-10-14 12:13 --------- d-----w C:\Program Files\SpeedFan
2007-10-01 20:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-30 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 00:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-11 05:50 --------- d-----w C:\Documents and Settings\XP64\Application Data\Media Player Classic
2007-09-11 05:30 --------- d-----w C:\Program Files\Lavasoft
2007-09-11 05:29 --------- d-----w C:\Program Files\CCleaner
2007-09-11 04:53 --------- d-----w C:\Program Files\Webroot
2007-09-11 04:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-11 04:52 --------- d-----w C:\Documents and Settings\XP64\Application Data\Webroot
2007-09-11 04:20 --------- d-----w C:\Program Files\DivX
2007-09-07 06:03 --------- d-----w C:\Documents and Settings\XP64\Application Data\vlc
2007-09-05 20:42 --------- d-----w C:\Program Files\VideoLAN
2007-09-05 20:41 --------- d-----w C:\Program Files\QuickTime Alternative
2007-09-05 20:40 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-05 19:25 --------- d-----w C:\Program Files\Shareaza
2007-08-29 20:00 --------- d-----w C:\Program Files\IZArc
2007-08-29 20:00 --------- d-----w C:\Program Files\Foxit Software
2007-08-29 19:36 --------- d-----w C:\Program Files\Java
2007-08-29 19:34 --------- d-----w C:\Program Files\Common Files\Java
2007-08-29 19:29 --------- d-----w C:\Program Files\Common Files\Nero
2007-08-29 19:29 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-29 19:28 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-29 19:28 --------- d-----w C:\Program Files\Ahead
2007-08-29 19:04 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-08-29 19:00 --------- d-----w C:\Program Files\Executive Software
2007-08-29 19:00 --------- d-----w C:\Documents and Settings\XP64\Application Data\Leadertech
2007-08-29 18:40 --------- d-----w C:\Program Files\ASUS
2007-08-23 03:59 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-25_15.45.41.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\AntiVir PersonalEdition Premium\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
"C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S4 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe"
S4 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 13:15:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 13:16:30 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-25 15:46
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:06 PM, on 26/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Mozilla Firefox\Firefox.exe
C:\Program Files\hiJACKTHIS\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...145/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{0174DFD8-7470-4451-83BB-841D136C4AC2}: NameServer = 192.168.0.1,192.168.0.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CblIroyEZUX - {E00A244F-4AA0-8EE5-A9E4-66CEB99B14F9} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 3459 bytes

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2007 - 03:34 PM

Have this file scanned please

C:\WINDOWS\system32\debfddb_r.dll

Scan at http://www.virustotal.com and save the results to notpad and post them in the next reply,please.

This one too if you dont know why its on the machine--> C:\WINDOWS\HideWin.exe


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O21 - SSODL: CblIroyEZUX - {E00A244F-4AA0-8EE5-A9E4-66CEB99B14F9} - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#8 vspydir

vspydir
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 26 October 2007 - 11:36 PM

Thanks!.

File debfddb_r.dll received on 10.27.2007 06:28:33 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.26 -
Avast 4.7.1074.0 2007.10.26 -
AVG 7.5.0.503 2007.10.26 -
BitDefender 7.2 2007.10.27 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.27 -
DrWeb 4.44.0.09170 2007.10.26 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.26 -
FileAdvisor 1 2007.10.27 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.26 -
Ikarus T3.1.1.12 2007.10.27 -
Kaspersky 7.0.0.125 2007.10.27 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.27 -
NOD32v2 2620 2007.10.27 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.27 -
Prevx1 V2 2007.10.27 -
Rising 19.46.42.00 2007.10.26 -
Sophos 4.22.0 2007.10.26 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.27 -
TheHacker 6.2.9.107 2007.10.25 -
VBA32 3.12.2.4 2007.10.26 -
VirusBuster 4.3.26:9 2007.10.26 -
Webwasher-Gateway 6.6.1 2007.10.27 -
Additional information
File size: 23 bytes
MD5: 4635bc3a7ea8603ba33f62f32de5ef92
SHA1: 3bb4ff412b2374b699fe2c3a0fd73bfd4a95634f



File HideWin.exe received on 10.27.2007 05:17:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.26 -
Avast 4.7.1074.0 2007.10.26 -
AVG 7.5.0.503 2007.10.26 -
BitDefender 7.2 2007.10.27 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.27 -
DrWeb 4.44.0.09170 2007.10.26 -
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.26 -
FileAdvisor 1 2007.10.27 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.26 -
Ikarus T3.1.1.12 2007.10.27 -
Kaspersky 7.0.0.125 2007.10.27 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.27 -
NOD32v2 2620 2007.10.27 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.27 -
Prevx1 V2 2007.10.27 -
Rising 19.46.42.00 2007.10.26 -
Sophos 4.22.0 2007.10.26 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.27 -
TheHacker 6.2.9.107 2007.10.25 -
VBA32 3.12.2.4 2007.10.26 -
VirusBuster 4.3.26:9 2007.10.26 -
Webwasher-Gateway 6.6.1 2007.10.27 -
Additional information
File size: 315392 bytes
MD5: 2d65f8db74c36819896cf809e4375f0a
SHA1: 3bb8f07c42350509a123b9ad86bb6582856d1f91






Scanning Report
Saturday, October 27, 2007 00:08:35 - 00:23:27

Computer name: AMD64X24000
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 0 malware found
Statistics
Scanned:

* Files: 19491
* System: 3466
* Not scanned: 2

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-10-26
* F-Secure AVP: 7.0.171, 2007-10-26
* F-Secure Orion: 1.2.37, 2007-10-26
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2007-09-18

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2007 - 05:09 AM

I like those kinda results,how does the machine seem to be acting today?

Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.


#10 vspydir

vspydir
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 October 2007 - 01:32 PM

Everything is great. thanks.

Ad-Aware 2007
Adobe Shockwave Player
ASUSUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
ATI Remote Wonder 3.04
avast! Antivirus
Avira AntiVir PersonalEdition Premium
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
CCleaner (remove only)
CleanUp!
Cool & Quiet
Diskeeper Professional Edition
DivX Content Uploader
DivX Web Player
Foxit Reader
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
IZArc 3.81
Java™ 6 Update 2
jv16 PowerTools 2007
K-Lite Mega Codec Pack 3.4.0
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.6)
Nero Suite
PC Probe II
QuickTime Alternative 1.81
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Shareaza version 2.2.5.0
SpeedFan (remove only)
Spy Sweeper
Spybot - Search & Destroy
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
VideoLAN VLC media player 0.8.6c
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Media Format Runtime
Windows Media Player 10

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2007 - 05:37 PM

Glad to hear the PC is being more user friendly again.

Adobe Shockwave Player<-- Be sure is the latest version

Java™ 6 Update 2<-- Uninstall and install latest version from link below.
http://www.java.com/en/download/index.jsp

Mozilla Firefox (2.0.0.6)<-- Update please,Current version is (2.0.0.8)


Give the Eset Online Scanner a run.
http://www.eset.com/onlinescan/index.php

1.Accept the terms of use and click the Start button.
2.When prompted to install an ActiveX Control, click the yellow notification bar and select Install ActiveX Control..
3.Click the Install button on the Security Warning window which appears.
4.Once the ActiveX installs click the Start button to download the signature database when prompted.
5.On the "Computer Scan" options window select Remove found threats but leave Scan unwanted applications unchecked, then hit the Scan button.
6.A log file of the results can be found at C:/Program Files/EsetOnlineScanner/log.txt
7.Post the results in your next reply please.

#12 vspydir

vspydir
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 28 October 2007 - 10:48 AM

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2621 (20071028)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=866dcfb1d4514d45beb1a91d8dc8fb56
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-10-28 04:47:08
# local_time=2007-10-28 11:47:08 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=77055
# found=1
# scan_time=458
C:\qoobox\Quarantine\C\WINDOWS\system32\rt27.exe.vir probably a variant of Win32/Spy.Goldun.GU trojan (unable to clean - deleted) 00000000000000000000000000000000

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 October 2007 - 03:17 PM

Allright,lets get you on your way.

Click Start--> Click Run--> Type in or Copy&Paste--> combofix /u into the open run box and click ok,this will remove combofix from the machine.


Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.

Consider using Erunt for a backup to System Restore in case the machine ever does crash.
http://silentrunners.org/sr_eruntuse.html

Be sure to read through the entire page and pay close attention to Emergency Procedures should you ever need it.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/officeupdate/default.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/security/...ry/default.mspx

Recently Published
http://www.microsoft.com/technet/security/...nt/default.mspx

Make your Internet Explorer more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click on the Security tab
  • Click the Internet icon so it becomes highlighted.
  • Click on Default Level and click Ok
  • Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Take the time to check out the following links

Resources for using Internet Explorer 6
http://support.microsoft.com/?kbid=867470

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwarer...e/families.mspx

Keep your Sun Java up to date

Check out these topics for more information:
http://spywarewarrior.com/viewtopic.php?t=17910
http://spywarewarrior.com/viewtopic.php?t=17598

Free programs that may help you in keeping the PC clean
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
  • MVPS Hosts File
    You can download the MVPS Hosts File here
    Furthermore the website contains useful tips and links to other resources and utilities.
  • Bluetack's Hosts File and Hosts Manager
    Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
    Download Bluetack's Hosts file here
    Download Bluetack's HostsManager here
Free Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

AVG Anti-Spyware (formerly Ewido)

Realtime protection against these threats:
  • Hijackers and Spyware
    Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.
  • Worms
    Nobody should receive e-mails in your name with malicious files in the appendix anymore.
  • Dialers
    Security against all kinds of dialers. No fear when receiving the next phone bill.
  • Trojans and Keyloggers
    No chance for thieves to steal your bank data and personal sensitive information by tapped Internet connections, remote controlled webcams or secret keyboard recordings.
Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends the following features will stop working:
  • Scheduled scans.
  • Real-time monitoring of the entire system.
  • Memory Scan detects active threats.
  • Self-protection at kernel layer guarantees gapless monitoring.
  • Automatic online-update.
The manual memory scan will work in the free version and you can manually update the definitions by clicking on the "Start Update" button under Manual update in the update module.

You can download AVG Anti-Spyware here
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.
  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
  • Fraudulent claims or scams
  • Offensive material
  • Security vulnerabilities
  • Spyware or Adware
  • Spam related material
  • or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

For advanced users : ProcessGuard

ProcessGuard blocks rootkits, prevents spyware, guards your computer from DLL trojans...
For more information take a moment to read the Introduction and the Known Attacks information pages.
You can download Process Guard here

For advanced users : System Safety Monitor

System Safety Monitor (SSM) allows you to track down Microsoft Windows operating system activity in real-time and to prevent undesirable actions from various malware and spyware programs. SSM's main goal is to discover and block malicious actions of any application.
For more information take a moment to read the Main features of the program.
You can download SSM here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malwareremoval.com/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malwareremoval.com/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users