Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pws.ldpinchie / Lich?


  • This topic is locked This topic is locked
16 replies to this topic

#1 Moonglum Clampflower

Moonglum Clampflower

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 07 December 2007 - 01:59 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:50, on 07/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: C:\WINNT\system32\jkd845jg.dll - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINNT\system32\jkd845jg.dll (file missing)
O2 - BHO: C:\WINNT\system32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINNT\system32\d4ghggf4g.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\17523\gm.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy II\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191968544618
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINNT\system32\jkd845jg.dll (file missing)
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINNT\system32\d4ghggf4g.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4987 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 07 December 2007 - 10:41 PM

Hello Moonglum Clampflower and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Step #2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Step #3

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don't have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !

In your next post please include the following reports:
  • SDFix report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#3 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 08 December 2007 - 06:35 AM

Ran SDFix as instructed. When in safe mode, came up with an Access Denied message during run through. On to step 3 now. Maybe this relates to "Could Not Remove C:\WINNT\Temp\startdrv.exe"

Cheers

Moon.


SDFix: Version 1.117

Run by Administrator on Sat 08/12/2007 at 11:04

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
runtime
wins

Path:
\??\C:\WINNT\System32\drivers\runtime.sys
%SystemRoot%\System32\wins.exe

runtime - Deleted
wins - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service NdisWon - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\system32\8_exception.nls - Deleted
C:\WINNT\system32\RunOnce.t__ - Deleted
C:\WINNT\system32\RunOnce.tmp - Deleted
C:\WINNT\system32\drivers\NdisWon.sys - Deleted


Could Not Remove C:\WINNT\Temp\startdrv.exe

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 11:20:50
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ctl_w32.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ctl_w32]
"ImagePath"="\SystemRoot\system32\drivers\ctl_w32.sys"
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"DependOnGroup"="File System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ctl_w32.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ctl_w32.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ctl_w32]
"ImagePath"="\SystemRoot\system32\drivers\ctl_w32.sys"
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"DependOnGroup"="File System"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\drivers\ctl_w32.sys 35328 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 1


Remaining Services:
------------------



Remaining Files:
---------------
C:\WINNT\Temp\startdrv.exe Found

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 16 May 2005 513,215 A.SH. --- "C:\WINNT\system\bewtnof.bak1"
Wed 18 May 2005 522,148 A.SH. --- "C:\WINNT\system\bewtnof.bak2"

Finished!

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 08 December 2007 - 11:16 AM

Hello Moonglum Clampflower :thumbsup:

Please follow the steps below exactly in the order they are written:

Step #1
1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Step #2
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with Combofix report, Uninstall list and new HijackThis log.

Regards,
SNOWHITE
Posted Image

#5 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 08 December 2007 - 02:03 PM

Ok, logs below. Just one thing. After the restart, the prog continued and seemed to complete ok but Windows came up with a Service Failure. The Eventvwr showed...

7022 - The Background Intelligent Transfer Service service hung on starting.

7026 - The following boot-start or system-start driver(s) failed to load: ctl_w32

Also, did you still want the MAIN and EXTRA logs from the DSS run, or is that redundant now?

Cheers

Moon.


-------------------------
Combofix Log
-------------------------

ComboFix 07-12-08.1 - Administrator 08/12/2007 18:41:32.1 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.321 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\Cache
C:\WINNT\system32\drivers\ctl_w32.sys
C:\WINNT\system32\drivers\netdtect.sys
C:\WINNT\system32\update243.exe
C:\WINNT\system32\update270.exe
C:\WINNT\system32\update276.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_RUNTIME


((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-08 18:33 . 07-12-08 18:33 <DIR> d-------- C:\Deckard
2007-12-08 11:04 . 07-12-08 11:04 <DIR> d-------- C:\WINNT\ERUNT
2007-12-07 18:50 . 07-12-07 18:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 20:45 . 07-12-04 22:37 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-12-04 20:45 . 07-12-04 20:45 30,590 --a------ C:\WINNT\system32\pavas.ico
2007-12-03 20:30 . 07-12-03 23:18 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-03 20:02 . 07-12-03 20:06 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-03 20:02 . 07-12-03 20:02 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-03 20:02 . 07-12-03 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-02 21:43 . 07-12-02 21:43 54,156 --ah----- C:\WINNT\QTFont.qfn
2007-12-02 21:43 . 07-12-02 21:43 1,409 --a------ C:\WINNT\QTFont.for
2007-12-02 21:28 . 07-12-08 10:58 1,107,388 ---h----- C:\WINNT\ShellIconCache
2007-11-22 19:56 . 07-11-22 19:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Keynote Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 10:54 28,089,064 ----a-w C:\WINNT\Internet Logs\tvDebug.zip
2007-12-05 11:48 --------- d---a-w C:\Program Files\Sophos SWEEP for NT
2007-12-04 22:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy II
2007-12-04 22:00 --------- d-----w C:\Program Files\MSN Messenger
2007-12-02 21:44 --------- d-----w C:\Program Files\QuickTime
2007-12-02 20:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-09 21:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2005-08-21 17:24 24,280 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-02-22 19:35 271 ---h--w C:\Program Files\desktop.ini
2005-02-22 19:35 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-05-16 20:35 513,215 --sha-w C:\WINNT\system\bewtnof.bak1
2005-05-18 21:40 522,148 --sha-w C:\WINNT\system\bewtnof.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 15:40 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [03-06-20 12:00 C:\WINNT\system32\rundll32.exe]
"nwiz"="nwiz.exe" [02-03-09 10:53 C:\WINNT\system32\nwiz.exe]
"REGSHAVE"="C:\Progra~1\REGSHAVE\REGSHAVE.exe" [02-02-04 21:32 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-09-06 15:14 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 12:00 ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys
R0 pnp680;SiI 680 ATA Controller;C:\WINNT\system32\drivers\pnp680.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINNT\system32\drivers\cdrbsvsd.sys
R2 Dfs;Distributed File System;C:\WINNT\system32\Dfssvc.exe
R2 IAS;Internet Authentication Service;C:\WINNT\System32\svchost.exe -k netsvcs
S1 ctl_w32;ctl_w32;C:\WINNT\system32\drivers\ctl_w32.sys
S3 DHCPServer;DHCP Server;C:\WINNT\system32\tcpsvcs.exe
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINNT\system32\DRIVERS\DLKRTS.SYS
S3 DNS;DNS Server;C:\WINNT\System32\dns.exe
S3 scsiscan;SCSI Scanner Driver;C:\WINNT\system32\DRIVERS\scsiscan.sys
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe
S4 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\Explorer.EXE [5.00.3700.6690]
-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upspvrsc.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 18:47:48
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 18:49:03 - machine was rebooted
.
--- E O F ---



-----------------------
Uninstall List
-----------------------

Access Client Package
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Reader 8
Adobe Shockwave Player
BHA B's Recorder GOLD BASIC 7.13
Canon CanoScan Toolbox 4.9
Canon i250
Canon ScanGear Starter
FUJIFILM USB Driver
Google Earth
HijackThis 2.0.2
HP DeskScan II
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.2_05
Keynote Connector
Macromedia Flash Player 8
Manual CanoScan LiDE 60
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
MSN Messenger 7.0
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
RealPlayer
Security Update for Windows 2000 (KB904706)
Spybot - Search & Destroy 1.4
Turnpike Six
Update Rollup 1 for Windows 2000 SP4
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB899591
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908523
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip
ZoneAlarm

-------------------------
Hijack This Log
-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33:46, on 08/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191968544618
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4153 bytes

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 08 December 2007 - 08:40 PM

Hello Moonglum Clampflower,

Please follow the steps below exactly in the order they are written:

Step #1

Download this program:

suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upspvrsc.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to Moonglum.cab

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29
and fill in the required fields, then Browse for this filename: Moonglum.cab
Click on the Send File button.

Thank you!

Step #2

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system\bewtnof.bak1
C:\WINNT\system\bewtnof.bak2
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upspvrsc.dll
C:\WINNT\Temp\startdrv.exe

Driver::
ctl_w32

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ctl_w32.sys]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #3

Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Into the first empty edit box, under "Enter search strings ..." type or copy&paste this in the first line:

    upspvrsc

  • Then click on the second empty line right after the first one and paste this into it:

    ctl_w32

  • Leave the second edit box under "Enter string to exclude from results (optional)" empty
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.
Step #4

While in normal mode, open the folder where you previously extracted SDFix and double click RunThis.bat to start the script.

Posted Image
  • Type 3 to Download/Run SAV32CLI from Sophos.
  • Follow the on screen prompts and extract the Sophos files to C:\SAV32CLI
  • When the main scanning screen is displayed type 6 to run a Full scan
  • SAV32CLI will start and scan the system for infected files
  • Please be patient as this scan may take some time
  • When the scan has finished post back the SophosReport.txt from the SDFix folder
Posted Image

Posted Image

Posted Image

Posted Image

-------------------------------------------------------------------------------------------

7026 - The following boot-start or system-start driver(s) failed to load: ctl_w32


That service is the bad one we want to remove, since combofix deleted the file but probably a registry leftover is calling on that service your are getting the error. This will be reseolved once we remove every leftover from it.

Also, did you still want the MAIN and EXTRA logs from the DSS run, or is that redundant now?


I will ask you to re-run dss later, let first see the reports i asked from you.

I would like to know have you unhidden "SuperHidden" files on your computer? Please let me know are you aware of this, so I can give you proper instruction about this.

Also I don't see antivirus program on your computer. I see you are using Zone Alarm firewall but that is not enough for protection of the computer. Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors:
[/list]It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

In your next post please include the following reports:
  • ComboFix report
  • Registry Search report
  • The contents of SophosReport.txt
  • New HijackThis report
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#7 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 09 December 2007 - 04:53 PM

Managed to do this. Uploaded file as requested. Logs are below. I understand about the
Anti Virus software. Used to have Sophos Sweep when I worked for ITV as the license
included home workers. Since I have left ITV, I have not been able to update and got
slack. Thanks for the info on free AV tools. I will definitely subscribe to one of these.

Super Hidden files? No I have not touched anything like this.

Did you want me to run Hijackthis again?

Thanks

Moon.


----------------
ComboFix Report
----------------

ComboFix 07-12-08.1 - Administrator 09/12/2007 12:29:39.2 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.339 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upspvrsc.dll
C:\WINNT\system\bewtnof.bak1
C:\WINNT\system\bewtnof.bak2
C:\WINNT\Temp\startdrv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system\bewtnof.bak1
C:\WINNT\system\bewtnof.bak2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\ctl_w32


((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-08 18:33 . 07-12-08 18:33 <DIR> d-------- C:\Deckard
2007-12-08 11:04 . 07-12-08 11:04 <DIR> d-------- C:\WINNT\ERUNT
2007-12-07 18:50 . 07-12-07 18:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 20:45 . 07-12-04 22:37 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-12-04 20:45 . 07-12-04 20:45 30,590 --a------ C:\WINNT\system32\pavas.ico
2007-12-03 20:30 . 07-12-03 23:18 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-03 20:02 . 07-12-03 20:06 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-03 20:02 . 07-12-03 20:02 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-03 20:02 . 07-12-03 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-02 21:43 . 07-12-02 21:43 54,156 --ah----- C:\WINNT\QTFont.qfn
2007-12-02 21:43 . 07-12-02 21:43 1,409 --a------ C:\WINNT\QTFont.for
2007-12-02 21:28 . 07-12-09 00:55 1,107,830 ---h----- C:\WINNT\ShellIconCache
2007-11-22 19:56 . 07-11-22 19:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Keynote Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 12:34 28,598,919 ----a-w C:\WINNT\Internet Logs\tvDebug.zip
2007-12-05 11:48 --------- d---a-w C:\Program Files\Sophos SWEEP for NT
2007-12-04 22:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy II
2007-12-04 22:00 --------- d-----w C:\Program Files\MSN Messenger
2007-12-02 21:44 --------- d-----w C:\Program Files\QuickTime
2007-12-02 20:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-09 21:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2005-08-21 17:24 24,280 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-02-22 19:35 271 ---h--w C:\Program Files\desktop.ini
2005-02-22 19:35 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Sat 2007-12-08_18.48.05.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-08 11:20:03 199,380 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2007-12-09 11:41:00 199,382 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 15:40 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [03-06-20 12:00 C:\WINNT\system32\rundll32.exe]
"nwiz"="nwiz.exe" [02-03-09 10:53 C:\WINNT\system32\nwiz.exe]
"REGSHAVE"="C:\Progra~1\REGSHAVE\REGSHAVE.exe" [02-02-04 21:32 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-09-06 15:14 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 12:00 ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys
R0 pnp680;SiI 680 ATA Controller;C:\WINNT\system32\drivers\pnp680.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINNT\system32\drivers\cdrbsvsd.sys
R2 Dfs;Distributed File System;C:\WINNT\system32\Dfssvc.exe
R2 IAS;Internet Authentication Service;C:\WINNT\System32\svchost.exe -k netsvcs
S3 DHCPServer;DHCP Server;C:\WINNT\system32\tcpsvcs.exe
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINNT\system32\DRIVERS\DLKRTS.SYS
S3 DNS;DNS Server;C:\WINNT\System32\dns.exe
S3 scsiscan;SCSI Scanner Driver;C:\WINNT\system32\DRIVERS\scsiscan.sys
S3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe
S4 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\Explorer.EXE [5.00.3700.6690]
-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upspvrsc.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 12:35:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 12:37:19 - machine was rebooted
C:\ComboFix2.txt ... 07-12-08 18:49
.
--- E O F ---


----------------------
Registry Search Report
----------------------

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 09/12/2007 12:42:51 for strings:
; 'upspvrsc'
; 'ctl_w32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


---------------------
Sophos Report
---------------------


Sophos Anti-Virus
Version 3.93.0 [Win32/Intel]
Virus data version 3.93, May 2005
Includes detection for 104440 viruses, trojans and worms
Copyright © 1989-2005 Sophos Plc, www.sophos.com

System time 16:04:29, System date 09 December 2007
Command line qualifiers are: -f -remove -nc -nb --stop-scan

Useful life of Sophos Anti-Virus has been exceeded

IDE directory is: C:\SDFix\SDFix\IDE

Using IDE file access-a.ide
Using IDE file aelsms-a.ide
Using IDE file agen-gfg.ide
Using IDE file agen-gfn.ide
Using IDE file agen-gfo.ide
Using IDE file agen-gfq.ide
Using IDE file agen-ggh.ide
Using IDE file agen-ggp.ide
Using IDE file agen-ggs.ide
Using IDE file agen-ggu.ide
Using IDE file agen-ghm.ide
Using IDE file agen-ghn.ide
Using IDE file agen-ght.ide
Using IDE file agen-gia.ide
Using IDE file agen-gil.ide
Using IDE file ambler-a.ide
Using IDE file anti-c.ide
Using IDE file ardama-n.ide
Using IDE file autoru-q.ide
Using IDE file autoru-s.ide
Using IDE file autoru-t.ide
Using IDE file autoru-x.ide
Using IDE file autoru-y.ide
Using IDE file bagle-tc.ide
Using IDE file bagle-td.ide
Using IDE file banco-ak.ide
Using IDE file bank-ejr.ide
Using IDE file bank-ejw.ide
Using IDE file banlo-et.ide
Using IDE file bckd-qkk.ide
Using IDE file bifro-vd.ide
Using IDE file bkdoor-c.ide
Using IDE file bront-dp.ide
Using IDE file bront-dq.ide
Using IDE file bypa-gen.ide
Using IDE file cekar-e.ide
Using IDE file delf-eyx.ide
Using IDE file delf-ezc.ide
Using IDE file delf-ezi.ide
Using IDE file dloa-bfg.ide
Using IDE file dloa-bfz.ide
Using IDE file dload-aa.ide
Using IDE file dload-ab.ide
Using IDE file dload-y.ide
Using IDE file dload-z.ide
Using IDE file dorf-ag.ide
Using IDE file drclic-a.ide
Using IDE file dref-as.ide
Using IDE file dropp-sh.ide
Using IDE file dropp-si.ide
Using IDE file dropp-sm.ide
Using IDE file dropp-sr.ide
File drowor-a.ide not loaded (corrupt)
Using IDE file drpr-gen.ide
Using IDE file dwnl-gyv.ide
Using IDE file dwnl-gzh.ide
Using IDE file encpk-bs.ide
Using IDE file gmredi-a.ide
Using IDE file goopo-a.ide
Using IDE file horst-jq.ide
Using IDE file hupig-su.ide
Using IDE file hupig-sv.ide
Using IDE file ircbo-yz.ide
Using IDE file ircbo-za.ide
Using IDE file jadak-a.ide
Using IDE file jardo-a.ide
Using IDE file jetdro-a.ide
Using IDE file kaiten-w.ide
Using IDE file kango-d.ide
Using IDE file killa-ec.ide
Using IDE file killf-br.ide
Using IDE file lazdia-a.ide
File ldpin-rc.ide not loaded (corrupt)
Using IDE file legm-gen.ide
Using IDE file linea-co.ide
Using IDE file linea-cp.ide
File mabeza-a.ide not loaded (corrupt)
Using IDE file mabeza-b.ide
Using IDE file mailb-ci.ide
Using IDE file malas-a.ide
Using IDE file mdro-bpy.ide
Using IDE file medplg-a.ide
File modzon-a.ide not loaded (corrupt)
Using IDE file mypis-c.ide
Using IDE file nutpea-a.ide
Using IDE file nuwar-d.ide
Using IDE file online-z.ide
Using IDE file pdrop-b.ide
Using IDE file poebo-na.ide
Using IDE file poisni-a.ide
Using IDE file poison-n.ide
Using IDE file ppntdr-a.ide
Using IDE file psyme-fs.ide
Using IDE file psyme-fu.ide
Using IDE file psyme-fx.ide
Using IDE file qqpa-apc.ide
Using IDE file rbot-gvc.ide
Using IDE file rbot-gvk.ide
Using IDE file rbot-gvl.ide
Using IDE file rbot-gvm.ide
Using IDE file renos-al.ide
Using IDE file renos-am.ide
Using IDE file renos-an.ide
Using IDE file root-gen.ide
Using IDE file rstdoo-b.ide
Using IDE file scatch-a.ide
Using IDE file sdbo-dip.ide
Using IDE file sdbo-dis.ide
File sdbo-dit.ide not loaded (corrupt)
Using IDE file sdbo-diu.ide
Using IDE file sdbo-djc.ide
Using IDE file sdbo-dje.ide
Using IDE file silly-bk.ide
Using IDE file silly-bl.ide
Using IDE file silly-bp.ide
Using IDE file sillyp-a.ide
Using IDE file smit-a.ide
Using IDE file sohan-ap.ide
File sonebo-c.ide not loaded (corrupt)
Using IDE file spy-ad.ide
Using IDE file spybo-oe.ide
Using IDE file startp-w.ide
Using IDE file stradr-a.ide
Using IDE file strat-g.ide
Using IDE file tagbot-a.ide
Using IDE file tdibd-c.ide
Using IDE file tibs-tm.ide
Using IDE file torpi-by.ide
Using IDE file trats-a.ide
Using IDE file unubot-a.ide
Using IDE file unubot-b.ide
Using IDE file vb-dxr.ide
Using IDE file vbdrop-d.ide
Using IDE file virut-w.ide
Using IDE file votera-a.ide
Using IDE file wazner-a.ide
Using IDE file wiepaz-a.ide
Using IDE file wixud-b.ide
Using IDE file zlob-afw.ide
Using IDE file zlob-agb.ide
Using IDE file zlob-agj.ide
Using IDE file zlob-ago.ide
Using IDE file zlob-fam.ide

Full Scanning

>>> Virus fragment 'W95/Sledge-A' found in file C:\WINNT\system32\ActiveScan\pskavs.dll
Removal successful
Could not check E:\Mirror Copy 07-Aug-2005\www\paganfed.com\content\conferenceflyer.doc (corrupt)
Could not check E:\Mirror Copy 07-Aug-2005\www\pflondon.myby.co.uk\content\flyer-pf Beltane 2005.doc (corrupt)
Could not check E:\Mirror Copy 07-Aug-2005\www\pflondon.myby.co.uk\content\flyer-pf imbolc.doc (virus scan failed)
Could not check E:\Mirror Copy 07-Aug-2005\www\pflondon.myby.co.uk\content\flyer-pf spring eqx.doc (corrupt)
Could not check E:\Mirror Copy 14-Aug-2005\www\paganfed.com\content\conferenceflyer.doc (corrupt)
Could not check E:\Mirror Copy 14-Aug-2005\www\pflondon.myby.co.uk\content\flyer-pf Beltane 2005.doc (corrupt)
Could not check E:\Mirror Copy 14-Aug-2005\www\pflondon.myby.co.uk\content\flyer-pf imbolc.doc (virus scan failed)
Could not check E:\Mirror Copy 14-Aug-2005\www\pflondon.myby.co.uk\content\flyer-pf spring eqx.doc (corrupt)
Could not check E:\Mirror Copy 23-July-2005\www\paganfed.com\content\conferenceflyer.doc (corrupt)
Could not check E:\Mirror Copy 29-May-2005\www\paganfed.com\content\conferenceflyer.doc (corrupt)
Could not check E:\Mirror Copy 31-July-2005\www\paganfed.com\content\conferenceflyer.doc (corrupt)
Could not check E:\Mirror Copy 31-July-2005\www\pflondon.myby.co.uk\content\day course.doc (corrupt)
Could not check E:\Mirror Copy 31-July-2005\www\pflondon.myby.co.uk\content\flyer-pf Beltane 2005.doc (corrupt)
Could not check E:\Mirror Copy 31-July-2005\www\pflondon.myby.co.uk\content\flyer-pf imbolc.doc (virus scan failed)
Could not check E:\Mirror Copy 31-July-2005\www\pflondon.myby.co.uk\content\flyer-pf spring eqx.doc (corrupt)
Could not check E:\Mirror Copy 31-July-2005\www\pflondon.myby.co.uk\content\sortflyer.doc (virus scan failed)
Could not check E:\Mirror Copy 31-July-2005\www\pflondon.myby.co.uk\content\summer course.doc (corrupt)

3 boot sectors swept.
118780 files swept in 3 hours, 36 minutes and 48 seconds.
17 errors were encountered.
1 virus was discovered.
1 file out of 118780 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 10 December 2007 - 10:23 PM

Hello Moonglum Clampflower,

Thanks for the info on free AV tools. I will definitely subscribe to one of these.


You are welcome :thumbsup: Please download one of the antivirus programs and install it. Then run HijackThis and post the new report back here.

Scroll down to this post, you will see attached file "fixme.reg", download this to your desktop.

Locate fixme.reg on your Desktop and double-click on it. It should look like this -> Posted Image
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Also follow these steps:

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Post back with AVG Anti-Spyware report and new HijackThis log.

Regards,

Attached Files


SNOWHITE
Posted Image

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 15 December 2007 - 08:42 PM

Hello Moonglum Clampflower, how are the things going? Do you still need help?
SNOWHITE
Posted Image

#10 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 16 December 2007 - 04:24 PM

Alas, none of the free AV tools you have recommended work because I have Windows Server 2000. :thumbsup: Ran Hijack This anyway. Didn't get an AVG report. Did not allow save of report. I did something wrong. Not sure what tho. Have attached a piccy instead. :blink:

Cheers

Moon.


------------
Hijack this
------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:28:35, on 16/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191968544618
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4349 bytes




-----------------------
Fixme.reg completed ok.
-----------------------


----------
AVG Report
----------
<See attached Pic>


-----------------
Hijack this again
-----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:23, on 16/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\rsvp.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191968544618
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4310 bytes

Attached Files



#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 18 December 2007 - 11:39 PM

Hello,

Alas, none of the free AV tools you have recommended work because I have Windows Server 2000. :thumbsup: Ran Hijack This anyway. Didn't get an AVG report. Did not allow save of report. I did something wrong. Not sure what tho. Have attached a piccy instead. :blink:


I was trying to find a free antivirus that would work on Windows Server 2000, but i didn't had much luck in finding. Unfortunately without antivirus program your computer can get re-infected very easy. You should try downloading trial version for example Antivir, at least until you find another solution, for example pay for antivirus. As for the AVG report, no i don't think you did something wrong. For some odd reason AVG doesn't let saving report sometimes.

If you haven't set this restrictions, re-open HijackThis put a check mark next to:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Make sure all other windows are closed except HijackThis and press Fix checked button.

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Post back with Kaspersky report and new HijackThis log.

Regards,
SNOWHITE
Posted Image

#12 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 22 December 2007 - 11:45 AM

At 21 hours, that must have been some in depth scan :thumbsup: . Results posted below followed by Hijackthis log.

Thanks

Moon.


-------------------
Kaspersky's Log
-------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 22, 2007 4:36:36 PM
Operating System: Microsoft Windows 2000 Server, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/12/2007
Kaspersky Anti-Virus database records: 491259
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 373346
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 21:24:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007122120071222\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\qoobox\Quarantine\C\WINNT\system32\update243.exe.vir Infected: Trojan.Win32.Qhost.it skipped
C:\qoobox\Quarantine\catchme2007-12-08_184730.92.zip/ctl_w32.sys Infected: Rootkit.Win32.Agent.pq skipped
C:\qoobox\Quarantine\catchme2007-12-08_184730.92.zip ZIP: infected - 1 skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\FRANK.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\DnsEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\DTCLog\MSDTC.LOG Object is locked skipped
C:\WINNT\system32\ias\dnary.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.mdb Object is locked skipped
C:\WINNT\Temp\JETCA0C.tmp Object is locked skipped
C:\WINNT\Temp\JETE0BC.tmp Object is locked skipped
C:\WINNT\Temp\ZLT0201d.TMP Object is locked skipped
C:\WINNT\Temp\ZLT02026.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


----------------
Hijackthis Log
----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:23, on 22/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191968544618
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49D1C8BA-7D48-46AF-9106-EE8F3098552F}: NameServer = 127.0.0.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4312 bytes

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 23 December 2007 - 02:40 PM

Hello Moonglum Clampflower,

At 21 hours, that must have been some in depth scan :blink: . Results posted below followed by Hijackthis log.

Thanks


21 hours :thumbsup: thats quite long..


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
Next, double click OTMoveIt and you should see a CleanUp! button, press that button, you may get prompt by your firewall that OTMoveIt tries to contact internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes.

NOTE: This will remove some of the tools we used so far, including OTMoveIt.

How is the computer running?

Regards,
SNOWHITE
Posted Image

#14 Moonglum Clampflower

Moonglum Clampflower
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Alpha Centauri
  • Local time:10:57 AM

Posted 24 December 2007 - 06:47 AM

Computer is really motoring now (as much as a PII 450 can be said to motor) :wacko: . I'm getting a couple of service failures, which seem to be pointing towards the firewall. It needs an update, so I will uninstall and install latest from scratch.

Long scan times prolly to do with large disks and multiple copies of data as backups. :blink:

Many thanks for your help.

Cheers :thumbsup:

Moon.

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:57 PM

Posted 24 December 2007 - 03:49 PM

Hello Moonglum Clampflower :blink:

Just want to let you know that the latest version of ZoneAlarm has included ZoneAlarm Spy Blocker which is not recommended because it uses AskJeeves Ask.com searchengine, you can read more info at the following links:
http://www.benedelman.org/spyware/installa...kjeeves-banner/
http://sunbeltblog.blogspot.com/2007/12/an...uccumbs-to.html

Anyway you can uninstall ZoneAlarm Spy Blocker from add remove programs and use the firewall without it.

You should consider purchasing license for antivirus software because the way it is, your computer is not protected and you risk getting reinfected.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

    Java 2 Runtime Environment, SE v1.4.2_05

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
You should also uninstall the version of Spybot - Search & Destroy 1.4, because it is outdated. You can download the latest version HERE, which is Spybot - Search & Destroy 1.5.1


Please take time to read my prevention speech.

I will keep your thread open for a couple of days, if the malware problem reappear feel free to post here. Please take time to read my recommendations below, also follow steps from 1 - 6.

Should you have any questions, please feel free to ask. ;)
  • 1.
  • Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.


    2.
  • Clean your Cache and Cookies in IE:
    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK
    3.
  • Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.
    4.
  • Clean other Temporary files + Recycle bin
    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
  • 5.DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
  • Untick - Show hidden files and folder
  • Tick - Hide file extensions for known types
  • Tick - Hide protected operating system files
Click Yes to confirm & then click OK
  • 6.SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*] Select OK to exit the Internet Properties page.
[/list]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Secunia Software Inspector
Check for other vulnerable programs running on your PC that are in need of an update.
http://secunia.com/software_inspector
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html

A-SQUARED Anti-Dialer
This is a free program that provides defense against Dialers, scans the harddisk and provides a permanent background guard protection against new Dialer infections.

"Dialers are small programs that change the Internet access number of a modem-equipped computer to a much more expensive number"

To understand this threat better read this article The Dialer-Problem in Detail. a-squared Anti-Dialer can be downloaded at the following link:
http://download5.emsisoft.com/a2AntiDialerSetup.exe

A-SQUARED Free
This program is completely free of charge for private use, it removes infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs. It can be downloaded at the following link:
http://www.emsisoft.com/en/software/free

SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :thumbsup:


Best regards,
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users