Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With ( Rond.starsdoor.com ) Pop Up. Help With Removal Please.


  • Please log in to reply
13 replies to this topic

#1 rfS

rfS

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 12 February 2008 - 07:57 PM

Hello all!

I'm new to the forums, and I've came here because I am infected with the lovely rond.starsdoor.com pop up. I know a few people have had it but I heard that every spyware depends on the system too so here I am posting for help along with my HiJackThis log. It is extremely annoying and I've used my virus scanner (Avast) to try and get rid of it, along with several spyware programs (spy sweeper, spyware doctor, ad-aware.) with no success. Any help is greatly appriciated. Also for some reason whenever I am using my browser the active page acts as if i click on something other than the current browser (isn't highlighted anymore) so that say like now when I'm typing this, my words stop typing because this page becomes unselected. Very annoying.

******************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:44 PM, on 2/10/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\BitComet\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {37E499A4-70FC-4894-BD30-A7E7B3592323} - C:\Program Files\ComPlus Applications\lamoq89104.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5D314B5C-446C-4542-BE30-6DB2ADCAB54F} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\khfdcbb.dll (file missing)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Drmupgds] "C:\Program Files\Drmupgds\Drmupgds.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187505187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187497296
O20 - Winlogon Notify: khfdcbb - khfdcbb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7479 bytes

************************************************************************

Thank you,
~Dave

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 22 February 2008 - 12:08 AM

Hello rfS and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

Edited by Yourhighness, 22 February 2008 - 12:09 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 rfS

rfS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 23 February 2008 - 04:38 PM

Hello, I believe one of the spyware programs I used solved the problem but now I have others. I keep getting a reditty pop up window and in the address bar for websites ip's always come up after i enter a website and will sometimes go to odd sites like upspiral etc. Here's my log :thumbsup:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36, on 2008-02-23
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kmd.exe
C:\ComboFix\nircmd.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {0cb9d7e0-6ed5-02cb-6fb4-19183470c940} - {049c0743-8191-4bf6-bc20-5de60e7d9bc0} - C:\WINDOWS\system32\spkjhmdn.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5D314B5C-446C-4542-BE30-6DB2ADCAB54F} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\khfdcbb.dll (file missing)
O2 - BHO: (no name) - {FAF5D9B5-CC9F-4773-874C-781AED09D85A} - C:\WINDOWS\system32\vtutr.dll (file missing)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [BM7bff6967] Rundll32.exe "C:\WINDOWS\system32\eoiafnhw.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187505187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187497296
O20 - Winlogon Notify: khfdcbb - khfdcbb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7866 bytes

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 24 February 2008 - 02:52 AM

Hey rfS,

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Your logs show that you have used ComboFix prior to getting help here. This is not suggested. ComboFix is a powerful tool and can do much harm to your pc if not used in a guided environment!

Step #1

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:If you want to have a look at the user manuals for the above suggested programs, have a look at the following:If you do decide to install a third party firewall, make sure that the windows firewall is not running and if it is, deactivate it. A tutorial on how to do it, can be found here.

Step #2

Please post the contents of this log: C:\Qoobox\ComboFix-quarantined-files.txt

Step #3

Run HijackThis, press Scan, and put a check mark next to all these entries:

O2 - BHO: {0cb9d7e0-6ed5-02cb-6fb4-19183470c940} - {049c0743-8191-4bf6-bc20-5de60e7d9bc0} - C:\WINDOWS\system32\spkjhmdn.dll
O2 - BHO: (no name) - {5D314B5C-446C-4542-BE30-6DB2ADCAB54F} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\khfdcbb.dll (file missing)
O2 - BHO: (no name) - {FAF5D9B5-CC9F-4773-874C-781AED09D85A} - C:\WINDOWS\system32\vtutr.dll (file missing)
O4 - HKLM\..\Run: [BM7bff6967] Rundll32.exe "C:\WINDOWS\system32\eoiafnhw.dll",s
O20 - Winlogon Notify: khfdcbb - khfdcbb.dll (file missing)


Close all other windows and browsers, and press the Fix Checked button.

Step #4

If you have not done already, please delete the old version of ComboFix.

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #5

Please post back with:
  • C:\Qoobox\ComboFix-quarantined-files.txt
  • A fresh HijackThis log
  • The new ComboFix log
Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 rfS

rfS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 24 February 2008 - 05:17 PM

Step 1: Downloaded Sygate

Step 2:

2007-11-06 10:46 184832 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe.vir
2008-02-09 17:13 253535 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qqtss.ini2.vir
2008-02-13 10:14 4232 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-02-13 10:14 4646 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-02-17 06:17 50176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b153.exe.vir
2008-02-20 10:02 101376 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b152.exe.vir
2008-02-22 00:05 37376 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnomkl.dll.vir
2008-02-22 00:09 91712 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mwehrpgu.dll.vir
2008-02-22 00:12 91712 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eoiafnhw.dll.vir
2008-02-22 00:15 93760 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\spkjhmdn.dll.vir
2008-02-22 00:18 88128 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lgggdepi.dll.vir
2008-02-22 21:00 1253954 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ipedgggl.ini.vir
2008-02-23 00:15 182587 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtutv.ini2.vir

Step 3: Completed

Step 4: Completed

Step 5:

2007-11-06 10:46 184832 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe.vir
2008-02-09 17:13 253535 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qqtss.ini2.vir
2008-02-13 10:14 4232 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-02-13 10:14 4646 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-02-17 06:17 50176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b153.exe.vir
2008-02-20 10:02 101376 --a------ C:\Qoobox\Quarantine\C\WINDOWS\b152.exe.vir
2008-02-22 00:05 37376 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnomkl.dll.vir
2008-02-22 00:09 91712 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mwehrpgu.dll.vir
2008-02-22 00:12 91712 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eoiafnhw.dll.vir
2008-02-22 00:15 93760 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\spkjhmdn.dll.vir
2008-02-22 00:18 88128 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lgggdepi.dll.vir
2008-02-22 21:00 1253954 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ipedgggl.ini.vir
2008-02-23 00:15 182587 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtutv.ini2.vir

__________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:51 PM, on 2/25/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {049c0743-8191-4bf6-bc20-5de60e7d9bc0} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5D314B5C-446C-4542-BE30-6DB2ADCAB54F} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - (no file)
O2 - BHO: (no name) - {FAF5D9B5-CC9F-4773-874C-781AED09D85A} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187505187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187497296
O20 - Winlogon Notify: khfdcbb - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7659 bytes

_________________________________________________________________________________________________________________

ComboFix 08-02-25 - Dave 2008-02-25 17:08:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.620 [GMT -5:00]
Running from: F:\Program Files\BitComet\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 07:36 . 2008-02-24 07:36 <DIR> d-------- C:\Program Files\Sygate
2008-02-24 07:36 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-24 07:36 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-02-24 07:36 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-02-22 00:09 . 2008-02-25 16:42 70,820 --a------ C:\WINDOWS\BM7bff6967.xml
2008-02-22 00:09 . 2008-02-25 16:42 21 --a------ C:\WINDOWS\pskt.ini
2008-02-21 09:20 . 2008-02-21 09:20 <DIR> d--hs---- C:\found.000
2008-02-15 22:30 . 2008-02-15 22:30 <DIR> d-------- C:\Program Files\Red Kawa
2008-02-13 17:09 . 2008-02-13 17:09 82 --a------ C:\WINDOWS\wininit.ini
2008-02-13 00:22 . 2008-02-13 00:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-13 00:22 . 2008-02-13 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 22:13 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-12 22:13 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-12 21:12 . 2008-02-12 21:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 21:12 . 2008-02-12 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 15:59 . 2008-02-10 15:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 17:20 . 2008-02-23 00:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 17:04 . 2006-08-24 11:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-09 17:04 . 2006-07-10 16:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-09 17:03 . 2008-02-22 23:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-09 17:03 . 2008-02-09 17:03 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\PC Tools
2008-02-09 17:01 . 2008-02-22 23:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 17:01 . 2008-02-22 23:58 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Lavasoft
2008-02-09 05:20 . 2008-02-09 05:20 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-02-09 05:19 . 2008-02-09 05:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Line 6
2008-02-09 04:32 . 2007-09-17 14:25 514,432 --a------ C:\WINDOWS\system32\drivers\L6PODLV.sys
2008-02-09 04:32 . 2007-09-17 14:22 118,784 --a------ C:\WINDOWS\system32\l6podlv.dll
2008-02-09 04:30 . 2008-02-09 05:19 <DIR> d-------- C:\Program Files\Line6
2008-02-09 04:30 . 2008-02-09 05:19 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Line 6
2008-02-09 02:53 . 2008-02-09 02:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Program Files\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-09 02:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-09 02:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-09 02:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-09 02:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-09 02:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-09 02:25 . 2008-02-09 02:25 <DIR> d-------- C:\WINDOWS\system32\ver2
2008-02-09 02:25 . 2008-02-09 02:25 <DIR> d-------- C:\WINDOWS\system32\jap8
2008-02-09 02:25 . 2008-02-23 03:09 <DIR> d-------- C:\WINDOWS\system32\hlp6
2008-02-09 02:25 . 2008-02-23 00:09 <DIR> d-------- C:\Temp
2008-02-09 02:11 . 2008-02-09 02:11 <DIR> d-------- C:\Program Files\PCPitstop
2008-02-08 13:19 . 2008-02-08 13:19 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-07 20:22 . 2008-02-07 20:22 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-02-07 20:21 . 2002-07-07 17:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-02-07 20:20 . 2008-02-07 20:22 <DIR> d-------- C:\Program Files\Image-Line
2008-02-07 12:06 . 2008-02-21 23:57 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Program Files\iTunes
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Program Files\iPod
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Apple Computer
2008-02-07 12:01 . 2008-02-25 16:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 12:01 . 2008-02-07 12:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 12:00 . 2008-02-07 12:00 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 12:00 . 2008-02-07 12:00 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 12:00 . 2008-02-07 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 12:00 . 2008-02-07 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 11:42 . 2008-02-07 11:42 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\iLike
2008-02-06 21:32 . 2008-02-06 21:32 18,640 --a------ C:\Documents and Settings\Dave\Application Data\GDIPFONTCACHEV1.DAT
2008-02-06 21:31 . 2007-11-30 17:31 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-06 19:09 . 2008-02-06 19:09 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-06 19:08 . 2008-02-06 19:09 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-05 18:49 . 2008-02-23 00:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-05 18:49 . 2000-02-21 19:35 <DIR> d-------- C:\Documents and Settings\Dave\Contacts
2008-02-05 18:45 . 2008-02-05 18:49 <DIR> d-------- C:\Program Files\Windows Live
2008-02-05 18:45 . 2008-02-05 18:46 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-05 18:45 . 2008-02-05 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-05 06:50 . 2008-02-11 22:13 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-05 06:08 . 2004-08-18 03:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-05 06:05 . 2008-02-05 06:05 <DIR> d-------- C:\WINDOWS\nview
2008-02-05 05:37 . 2008-02-05 05:37 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Cakewalk
2008-02-05 05:33 . 2008-02-05 05:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-05 05:33 . 2008-02-05 05:33 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-02-05 05:33 . 2008-02-05 05:33 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Leadertech
2008-02-05 05:30 . 2008-02-05 05:30 <DIR> d-------- C:\Program Files\Seagate
2008-02-05 05:30 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-02-05 05:29 . 2008-02-05 05:36 <DIR> d-------- C:\Program Files\Cakewalk
2008-02-05 05:29 . 2008-02-05 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cakewalk
2008-02-05 05:29 . 2006-02-24 10:00 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-02-05 05:29 . 2006-02-24 10:00 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-02-05 05:29 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-02-05 05:29 . 2006-02-24 10:00 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-02-05 05:24 . 2008-02-05 05:24 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-05 05:21 . 2008-02-05 05:21 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-05 05:20 . 2008-02-05 20:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-05 05:20 . 2000-02-21 18:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-05 05:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-05 05:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-05 05:14 . 2008-02-05 05:17 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-02-05 05:06 . 2008-02-05 05:06 <DIR> d-------- C:\WINDOWS\EHome
2008-02-05 05:03 . 2008-02-05 05:03 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-02-05 05:03 . 2008-02-05 05:03 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2008-02-05 02:23 . 2008-02-06 19:10 478 --a------ C:\WINDOWS\ODBC.INI
2008-02-05 02:22 . 2008-02-05 02:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-05 02:20 . 2008-02-05 02:20 664,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 00:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:58 --------- d-----w C:\Program Files\Creative
2008-02-05 00:57 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-05 00:57 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-05 00:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-05 00:57 --------- d-----w C:\Documents and Settings\Dave\Application Data\Creative
2008-02-05 00:47 --------- d-----w C:\Program Files\Intel
2008-02-05 00:27 558,142 ----a-w C:\WINDOWS\java\Packages\GYHZFXB9.ZIP
2008-02-05 00:27 155,995 ----a-w C:\WINDOWS\java\Packages\OEPJD7NF.ZIP
2008-02-05 00:27 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-01 05:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-12-01 05:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-12-01 05:25 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2007-12-01 05:24 76,288 ----a-w C:\WINDOWS\system32\uniime.dll
2007-12-01 05:24 756,224 ----a-w C:\WINDOWS\system32\winntbbu.dll
2007-12-01 05:24 706,048 ----a-w C:\WINDOWS\system32\ntdll.dll
2007-12-01 05:24 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2007-12-01 05:23 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2007-12-01 05:23 101,888 ----a-w C:\WINDOWS\system32\dpcdll.dll
2007-12-01 05:21 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2007-12-01 05:21 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2007-11-30 23:24 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
2007-11-30 23:22 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2007-11-30 22:30 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2007-11-30 22:27 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2007-11-30 22:27 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2007-11-30 22:25 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2007-11-30 22:25 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-11-30 22:24 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2007-11-30 21:38 79,872 ------w C:\WINDOWS\system32\msxml6r.dll
2007-11-30 21:37 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2007-11-30 21:37 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2007-11-30 21:37 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2007-11-30 21:35 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2007-11-30 21:25 2,897,920 ------w C:\WINDOWS\system32\xpsp2res.dll
2007-11-30 21:25 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2007-11-30 21:23 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll
2007-11-30 21:23 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2007-11-30 21:23 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2007-11-30 21:06 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2007-11-30 20:54 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2007-11-30 20:53 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2007-11-30 20:45 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2007-11-30 20:41 53,840 ----a-w C:\WINDOWS\system32\dosx.exe
2007-11-30 20:40 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll
2007-11-30 20:39 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe
2007-11-30 20:38 3,338 ----a-w C:\WINDOWS\system32\redir.exe
2007-11-30 20:37 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2007-11-30 20:36 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2007-11-30 20:36 35,648 ----a-w C:\WINDOWS\system32\ntio411.sys
2007-11-30 20:36 35,424 ----a-w C:\WINDOWS\system32\ntio412.sys
2007-11-30 20:36 34,560 ----a-w C:\WINDOWS\system32\ntio804.sys
2007-11-30 20:36 34,560 ----a-w C:\WINDOWS\system32\ntio404.sys
2007-11-30 20:36 33,840 ----a-w C:\WINDOWS\system32\ntio.sys
2007-11-30 20:35 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2007-11-30 20:32 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2007-11-30 20:10 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2007-11-30 19:31 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 17:00 128920]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"F:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12698:TCP"= 12698:TCP:BitComet 12698 TCP
"12698:UDP"= 12698:UDP:BitComet 12698 UDP

S3 L6PODLV;PODxt Live Service;C:\WINDOWS\system32\Drivers\L6PODLV.sys [2007-09-17 14:25]
S3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-06-24 01:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 12:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 17:10:07
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 17:10:55
ComboFix-quarantined-files.txt 2008-02-25 22:10:51
ComboFix2.txt 2008-02-25 21:48:00
.
2008-02-15 08:01:40 --- E O F ---

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 25 February 2008 - 12:53 AM

Hey rfS,

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\pskt.ini
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{049c0743-8191-4bf6-bc20-5de60e7d9bc0}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D314B5C-446C-4542-BE30-6DB2ADCAB54F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAF5D9B5-CC9F-4773-874C-781AED09D85A}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfdcbb]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Now please post back with the ComboFix log, a fresh HijackThis log and the Kaspersky log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 rfS

rfS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 25 February 2008 - 01:30 PM

ComboFix 08-02-25 - Dave 2008-02-26 1:19:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.525 [GMT -5:00]
Running from: F:\Program Files\BitComet\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\pskt.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-24 07:36 . 2008-02-24 07:36 <DIR> d-------- C:\Program Files\Sygate
2008-02-24 07:36 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-02-24 07:36 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-02-24 07:36 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-02-24 07:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-02-22 00:09 . 2008-02-25 16:42 70,820 --a------ C:\WINDOWS\BM7bff6967.xml
2008-02-21 09:20 . 2008-02-21 09:20 <DIR> d--hs---- C:\found.000
2008-02-15 22:30 . 2008-02-15 22:30 <DIR> d-------- C:\Program Files\Red Kawa
2008-02-13 17:09 . 2008-02-13 17:09 82 --a------ C:\WINDOWS\wininit.ini
2008-02-13 00:22 . 2008-02-13 00:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-13 00:22 . 2008-02-13 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 22:13 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-12 22:13 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-12 21:12 . 2008-02-12 21:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 21:12 . 2008-02-12 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 15:59 . 2008-02-10 15:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 17:20 . 2008-02-23 00:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 17:04 . 2006-08-24 11:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-09 17:04 . 2006-07-10 16:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-09 17:03 . 2008-02-22 23:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-09 17:03 . 2008-02-09 17:03 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\PC Tools
2008-02-09 17:01 . 2008-02-22 23:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 17:01 . 2008-02-22 23:58 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Lavasoft
2008-02-09 05:20 . 2008-02-09 05:20 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-02-09 05:19 . 2008-02-09 05:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Line 6
2008-02-09 04:32 . 2007-09-17 14:25 514,432 --a------ C:\WINDOWS\system32\drivers\L6PODLV.sys
2008-02-09 04:32 . 2007-09-17 14:22 118,784 --a------ C:\WINDOWS\system32\l6podlv.dll
2008-02-09 04:30 . 2008-02-09 05:19 <DIR> d-------- C:\Program Files\Line6
2008-02-09 04:30 . 2008-02-09 05:19 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Line 6
2008-02-09 02:53 . 2008-02-09 02:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Program Files\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Webroot
2008-02-09 02:48 . 2008-02-09 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-09 02:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-09 02:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-09 02:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-09 02:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-09 02:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-09 02:25 . 2008-02-09 02:25 <DIR> d-------- C:\WINDOWS\system32\ver2
2008-02-09 02:25 . 2008-02-09 02:25 <DIR> d-------- C:\WINDOWS\system32\jap8
2008-02-09 02:25 . 2008-02-23 03:09 <DIR> d-------- C:\WINDOWS\system32\hlp6
2008-02-09 02:25 . 2008-02-23 00:09 <DIR> d-------- C:\Temp
2008-02-09 02:11 . 2008-02-09 02:11 <DIR> d-------- C:\Program Files\PCPitstop
2008-02-08 13:19 . 2008-02-08 13:19 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-07 20:22 . 2008-02-07 20:22 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-02-07 20:21 . 2002-07-07 17:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-02-07 20:20 . 2008-02-07 20:22 <DIR> d-------- C:\Program Files\Image-Line
2008-02-07 12:06 . 2008-02-25 18:10 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Program Files\iTunes
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Program Files\iPod
2008-02-07 12:01 . 2008-02-07 12:01 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Apple Computer
2008-02-07 12:01 . 2008-02-25 16:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 12:01 . 2008-02-07 12:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 12:00 . 2008-02-07 12:00 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 12:00 . 2008-02-07 12:00 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 12:00 . 2008-02-07 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 12:00 . 2008-02-07 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 11:42 . 2008-02-07 11:42 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\iLike
2008-02-06 21:32 . 2008-02-06 21:32 18,640 --a------ C:\Documents and Settings\Dave\Application Data\GDIPFONTCACHEV1.DAT
2008-02-06 21:31 . 2007-11-30 17:31 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-06 19:09 . 2008-02-06 19:09 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-06 19:08 . 2008-02-06 19:09 <DIR> d-------- C:\WINDOWS\ShellNew
2008-02-05 18:49 . 2008-02-23 00:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-05 18:49 . 2000-02-21 19:35 <DIR> d-------- C:\Documents and Settings\Dave\Contacts
2008-02-05 18:45 . 2008-02-05 18:49 <DIR> d-------- C:\Program Files\Windows Live
2008-02-05 18:45 . 2008-02-05 18:46 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-05 18:45 . 2008-02-05 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-05 06:50 . 2008-02-11 22:13 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-05 06:08 . 2004-08-18 03:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-05 06:05 . 2008-02-05 06:05 <DIR> d-------- C:\WINDOWS\nview
2008-02-05 05:37 . 2008-02-05 05:37 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Cakewalk
2008-02-05 05:33 . 2008-02-05 05:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-05 05:33 . 2008-02-05 05:33 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-02-05 05:33 . 2008-02-05 05:33 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Leadertech
2008-02-05 05:30 . 2008-02-05 05:30 <DIR> d-------- C:\Program Files\Seagate
2008-02-05 05:30 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-02-05 05:29 . 2008-02-05 05:36 <DIR> d-------- C:\Program Files\Cakewalk
2008-02-05 05:29 . 2008-02-05 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cakewalk
2008-02-05 05:29 . 2006-02-24 10:00 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-02-05 05:29 . 2006-02-24 10:00 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-02-05 05:29 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-02-05 05:29 . 2006-02-24 10:00 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-02-05 05:24 . 2008-02-05 05:24 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-02-05 05:21 . 2008-02-05 05:21 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-05 05:20 . 2008-02-05 20:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-05 05:20 . 2000-02-21 18:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-05 05:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-05 05:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-05 05:14 . 2008-02-05 05:17 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-02-05 05:06 . 2008-02-05 05:06 <DIR> d-------- C:\WINDOWS\EHome
2008-02-05 05:03 . 2008-02-05 05:03 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-02-05 05:03 . 2008-02-05 05:03 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2008-02-05 02:23 . 2008-02-06 19:10 478 --a------ C:\WINDOWS\ODBC.INI
2008-02-05 02:22 . 2008-02-05 02:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-05 02:20 . 2008-02-05 02:20 664,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-02-05 02:20 . 2008-02-05 05:13 96,384 --a------ C:\WINDOWS\system32\drivers\sptd5485.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 00:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:58 --------- d-----w C:\Program Files\Creative
2008-02-05 00:57 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-05 00:57 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-05 00:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-05 00:57 --------- d-----w C:\Documents and Settings\Dave\Application Data\Creative
2008-02-05 00:47 --------- d-----w C:\Program Files\Intel
2008-02-05 00:27 558,142 ----a-w C:\WINDOWS\java\Packages\GYHZFXB9.ZIP
2008-02-05 00:27 155,995 ----a-w C:\WINDOWS\java\Packages\OEPJD7NF.ZIP
2008-02-05 00:27 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-01 05:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-12-01 05:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-12-01 05:25 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2007-12-01 05:24 76,288 ----a-w C:\WINDOWS\system32\uniime.dll
2007-12-01 05:24 756,224 ----a-w C:\WINDOWS\system32\winntbbu.dll
2007-12-01 05:24 706,048 ----a-w C:\WINDOWS\system32\ntdll.dll
2007-12-01 05:24 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2007-12-01 05:23 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2007-12-01 05:23 101,888 ----a-w C:\WINDOWS\system32\dpcdll.dll
2007-12-01 05:21 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2007-12-01 05:21 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2007-11-30 23:24 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
2007-11-30 23:22 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2007-11-30 22:30 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2007-11-30 22:27 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2007-11-30 22:27 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2007-11-30 22:25 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2007-11-30 22:25 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-11-30 22:24 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2007-11-30 21:38 79,872 ------w C:\WINDOWS\system32\msxml6r.dll
2007-11-30 21:37 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2007-11-30 21:37 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2007-11-30 21:37 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2007-11-30 21:35 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2007-11-30 21:25 2,897,920 ------w C:\WINDOWS\system32\xpsp2res.dll
2007-11-30 21:25 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2007-11-30 21:23 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll
2007-11-30 21:23 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2007-11-30 21:23 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2007-11-30 21:06 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2007-11-30 20:54 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2007-11-30 20:53 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2007-11-30 20:45 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2007-11-30 20:41 53,840 ----a-w C:\WINDOWS\system32\dosx.exe
2007-11-30 20:40 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll
2007-11-30 20:39 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe
2007-11-30 20:38 3,338 ----a-w C:\WINDOWS\system32\redir.exe
2007-11-30 20:37 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2007-11-30 20:36 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2007-11-30 20:36 35,648 ----a-w C:\WINDOWS\system32\ntio411.sys
2007-11-30 20:36 35,424 ----a-w C:\WINDOWS\system32\ntio412.sys
2007-11-30 20:36 34,560 ----a-w C:\WINDOWS\system32\ntio804.sys
2007-11-30 20:36 34,560 ----a-w C:\WINDOWS\system32\ntio404.sys
2007-11-30 20:36 33,840 ----a-w C:\WINDOWS\system32\ntio.sys
2007-11-30 20:35 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2007-11-30 20:32 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2007-11-30 20:10 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2007-11-30 19:31 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 17:00 128920]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"F:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12698:TCP"= 12698:TCP:BitComet 12698 TCP
"12698:UDP"= 12698:UDP:BitComet 12698 UDP

S3 L6PODLV;PODxt Live Service;C:\WINDOWS\system32\Drivers\L6PODLV.sys [2007-09-17 14:25]
S3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-06-24 01:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 12:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 01:22:15
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 1:23:31
ComboFix-quarantined-files.txt 2008-02-26 06:23:26
ComboFix2.txt 2008-02-25 22:10:56
ComboFix3.txt 2008-02-25 21:48:00
.
2008-02-15 08:01:40 --- E O F ---



_____________________________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:41 PM, on 2/26/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {049c0743-8191-4bf6-bc20-5de60e7d9bc0} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5D314B5C-446C-4542-BE30-6DB2ADCAB54F} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - (no file)
O2 - BHO: (no name) - {FAF5D9B5-CC9F-4773-874C-781AED09D85A} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187505187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202187497296
O20 - Winlogon Notify: khfdcbb - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7694 bytes


________________________________________________________________________________________________________________


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 26, 2008 1:11:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 579074
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 75822
Number of viruses found: 4
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:23:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Dave\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dave\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dave\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\b153.exe.vir Infected: Trojan-Downloader.Win32.Agent.jig skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\eoiafnhw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lgggdepi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mwehrpgu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnomkl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spkjhmdn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP51\A0025039.exe Infected: Trojan-Downloader.Win32.Agent.jig skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP51\A0025040.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP51\A0025041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP51\A0025042.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP51\A0025043.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP51\A0025044.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{0DDD0311-FD1C-4ADB-A9D5-B0F3612D146E}\RP53\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5485.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_740.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_958.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\HARDDRIVEBACKUP\MydocsBACKUP\Reformat Files\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
F:\HARDDRIVEBACKUP\MydocsBACKUP\Reformat Files\mirc617.exe mIRC: infected - 1 skipped
F:\HARDDRIVEBACKUP\Reformat Files\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
F:\HARDDRIVEBACKUP\Reformat Files\mirc617.exe mIRC: infected - 1 skipped
F:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 25 February 2008 - 02:04 PM

Hey rfS,

Step #1

Make sure you disable spybot and adwatch as described at this link.

Step #2
  • Open notepad and copy/paste the text in the codebox below into it:

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{049c0743-8191-4bf6-bc20-5de60e7d9bc0}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D314B5C-446C-4542-BE30-6DB2ADCAB54F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAF5D9B5-CC9F-4773-874C-781AED09D85A}]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Spyware Doctor"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdcbb]
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #3

Please post back with a fresh HijackThis log and the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 rfS

rfS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 25 February 2008 - 06:08 PM

Hey, now combofix is saying

"Current date is 2008-02-25

This copy of ComboFix has expired
Please download an updated copy"

I tried to redownload from bleeping computer but it still says the same thing.

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 26 February 2008 - 05:29 AM

Hey rfS,

it seems that not all programmes running on your pc have been disabled as described in step #1 above. Something is interfering with ComboFix's running. Please revisit this link: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ and double check if all your security software is disabled in the methods described there. If yours is not on the list, let me know. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 rfS

rfS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 March 2008 - 01:22 PM

Hey!!

Very sorry for the late reply.

I ended up buying a new computer for school and work so I reformatted,

BUT

After those fixes as is, my computer was running smooth and fine, so I believe your instructions fixed it regardless.

Thanks a lot,

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 06 March 2008 - 03:29 PM

Thats ok. Thanks for posting back.

Now please navigate to: Start >> Run...
  • Type: Combofix /u and hit Enter
  • This will delete:
    • \Qoobox
    • \VundoFix Backups
    • \Deckard
    • \_OTMoveIt
    • %systemroot%\erdnt\subs
  • Also resets System Restore, re-hides system & hidden files, resets system clock and last but not least, hides the file extensions of known filetypes
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 rfS

rfS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 March 2008 - 08:33 PM

Hey I was also wondering about Windows Firewall. Is it bad to have Windows Firewall as well as Sygate running? or is that a good idea.

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:52 PM

Posted 07 March 2008 - 01:34 PM

Hey rfS,

Using two software firewalls on a single computer could cause issues with connectivity to the Internet or other unexpected behavior. Further, running multiple software firewalls can cause conflicts that are hard to identify and troubleshoot. Only one of the firewalls can receive the packets over the network and process them. Sometimes you may even have a conflict that causes neither firewall to protect your connection. However, you can use a hardware firewall (your router) and a software firewall in conjunction. For more information see "The Differences and Features of Hardware & Software Firewalls" and Bleepingcomputer's tutorial on Firewalls - "Understanding and using Firewalls".

Also, please see a quote of what I previously wrote (post #4):

If you do decide to install a third party firewall, make sure that the windows firewall is not running and if it is, deactivate it. A tutorial on how to do it, can be found here.

I would suggest to turn off the Windows Firewall. The XP one is pretty "useless" anyhow.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users