Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Need Help!


  • This topic is locked This topic is locked
12 replies to this topic

#1 brockj

brockj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 01 June 2008 - 02:36 PM

Found this site through a little searching. Followed a few of the other posts and have made progress, but still having problems, specifically with pop-ups. I have ran both HiJack this and ComboFix and have my logs. Appears to be an issue with core.cache.dsk and I beleive mrxdavv.sys and usbsermptxp.sys files, but before doing anything wanted to post to the experts!! Here are my logs:

HiJack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:23 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.100:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: gooochi browser optimizer - {116dd415-5d32-b61f-97ef-38a14419be65} - C:\WINDOWS\system32\{b2469b30-ef1b-4c16-9bdd-ac0b8b2abe98}.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {FC689B1B-53AA-215E-FF4A-0CA2E39E4896} - C:\WINDOWS\system32\ylpoth.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Office Outlook View Control) - http://activex.microsoft.com/activex/contr...ce/outlctlx.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {449B3922-8132-4764-ADA3-06D654066B9D} (software\DX8100\WebDVR) - http://208.44.158.114/DX8100WebDVR.CAB
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://72.21.231.73/tsweb/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O16 - DPF: {EB3921F9-5FEA-4F03-9B53-6DD0B0FA4F59} (DX8100WebDVRLogoin Control) - http://208.44.158.114/DX8100WebDVRLogoin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{953AD55D-65CA-4831-8FE0-BBB123476568}: NameServer = 68.87.77.130,68.87.72.130
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5350 bytes

ComboFix:

ComboFix 08-06-01.2 - Administrator 2008-06-01 13:51:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.700 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\DOBE~1
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 13:55 . 2008-06-01 13:55 <DIR> d-------- C:\Temp\tn3
2008-06-01 13:54 . 2008-06-01 13:54 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-01 11:00 . 2008-06-01 11:00 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-05 20:46 . 2008-05-05 20:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 17:33 --------- d-----w C:\Program Files\UltraVNC
2008-06-01 13:20 86,144 ----a-w C:\WINDOWS\system32\drivers\mrxdavv.sys
2008-05-31 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-29 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-29 02:14 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-29 02:13 --------- d-----w C:\Program Files\Avanquest update
2008-04-29 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 02:10 24,192 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-29 02:10 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-04-29 02:10 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2008-04-06 20:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116dd415-5d32-b61f-97ef-38a14419be65}]
C:\WINDOWS\system32\{b2469b30-ef1b-4c16-9bdd-ac0b8b2abe98}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC689B1B-53AA-215E-FF4A-0CA2E39E4896}]
C:\WINDOWS\system32\ylpoth.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 15:22 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2006-09-14 17:43:26 6144]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\ncntkkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate]
C:\WINDOWS\system32\1025k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\13892.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 13:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 15:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{05baa369-8b71-5b18-6f13-165a0edb2e4a}]
C:\WINDOWS\system32\{b2469b30-ef1b-4c16-9bdd-ac0b8b2abe98}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5D-DA-A8-84-DW}]
c:\windows\system32\jjwnw64l.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 mrxdavv;mrxdavv;C:\WINDOWS\system32\drivers\mrxdavv.sys [2008-06-01 08:20]
S3 CrystalCpuInfo;CrystalCpuInfo;C:\Program Files\OCCT\CpuInfo.sys [2003-11-25 08:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 18:50:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 13:55:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-01 13:57:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 18:57:32

Pre-Run: 81,171,881,984 bytes free
Post-Run: 81,765,457,920 bytes free

154 --- E O F --- 2008-05-16 08:01:00


Thanks in advance!!

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 02 June 2008 - 04:43 AM

Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\mrxdavv.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
Folder::
C:\Temp\tn3
Driver::
mrxdavv
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116dd415-5d32-b61f-97ef-38a14419be65}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC689B1B-53AA-215E-FF4A-0CA2E39E4896}]
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Deewoo.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{05baa369-8b71-5b18-6f13-165a0edb2e4a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5D-DA-A8-84-DW}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

By the way...

Appears to be an issue with core.cache.dsk and I beleive mrxdavv.sys and usbsermptxp.sys files

Nothing wrong with the usbsermptxp.sys files, they are related with your Motorola Phone Tools
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 brockj

brockj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 02 June 2008 - 05:48 PM

Thanks for the help! Here is the new ComboFix logfile:

ComboFix 08-06-01.2 - Administrator 2008-06-02 17:41:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\mrxdavv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRXDAVV
-------\Service_mrxdavv


((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-01 11:00 . 2008-06-01 11:00 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-01 08:20 . 2008-06-01 08:20 <DIR> d-------- C:\WINDOWS\system32\wIE6
2008-06-01 08:20 . 2008-06-01 08:37 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-01 08:20 . 2008-06-01 09:19 <DIR> d-------- C:\WINDOWS\system32\Ucom1
2008-06-01 08:20 . 2008-06-01 09:19 <DIR> d-------- C:\WINDOWS\system32\ITMP
2008-06-01 08:20 . 2008-06-01 09:19 <DIR> d-------- C:\WINDOWS\system32\evd2
2008-06-01 08:20 . 2008-06-01 12:33 <DIR> d-------- C:\WINDOWS\system32\Dev3
2008-06-01 08:20 . 2008-06-01 09:18 <DIR> d-------- C:\WINDOWS\system32\4026c
2008-06-01 08:20 . 2008-06-01 12:33 <DIR> d--hs---- C:\WINDOWS\Sm9lIEJyb2NrbWFu
2008-06-01 08:20 . 2008-06-01 16:09 <DIR> d-------- C:\Temp
2008-06-01 08:20 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-05 20:46 . 2008-05-05 20:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 17:33 --------- d-----w C:\Program Files\UltraVNC
2008-05-31 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-29 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-29 02:14 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-29 02:13 --------- d-----w C:\Program Files\Avanquest update
2008-04-29 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 02:10 24,192 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-29 02:10 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-04-29 02:10 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2008-04-06 20:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_13.57.23.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:54:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 22:44:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 15:22 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2006-09-14 17:43:26 6144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 13:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 15:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 CrystalCpuInfo;CrystalCpuInfo;C:\Program Files\OCCT\CpuInfo.sys [2003-11-25 08:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 06:56:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 17:44:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-02 17:46:52 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-02 22:46:49
ComboFix2.txt 2008-06-01 21:18:27
ComboFix3.txt 2008-06-01 21:11:47
ComboFix4.txt 2008-06-01 18:57:36

Pre-Run: 81,643,941,888 bytes free
Post-Run: 81,692,012,544 bytes free

129 --- E O F --- 2008-05-16 08:01:00

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 03 June 2008 - 12:10 AM

Hi,

new malware installed in a meanwhile..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
C:\WINDOWS\system32\wIE6
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\Ucom1
C:\WINDOWS\system32\ITMP
C:\WINDOWS\system32\evd2
C:\WINDOWS\system32\Dev3
C:\WINDOWS\system32\4026c
C:\WINDOWS\Sm9lIEJyb2NrbWFu


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 brockj

brockj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 June 2008 - 06:09 AM

Again, thanks for the response!! Here are my logs:

ComboFix:

ComboFix 08-06-01.2 - Administrator 2008-06-03 6:04:15.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-01 11:00 . 2008-06-01 11:00 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-01 08:20 . 2008-06-01 08:20 <DIR> d-------- C:\WINDOWS\system32\wIE6
2008-06-01 08:20 . 2008-06-01 08:37 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-01 08:20 . 2008-06-01 09:19 <DIR> d-------- C:\WINDOWS\system32\Ucom1
2008-06-01 08:20 . 2008-06-01 09:19 <DIR> d-------- C:\WINDOWS\system32\ITMP
2008-06-01 08:20 . 2008-06-01 09:19 <DIR> d-------- C:\WINDOWS\system32\evd2
2008-06-01 08:20 . 2008-06-01 12:33 <DIR> d-------- C:\WINDOWS\system32\Dev3
2008-06-01 08:20 . 2008-06-01 09:18 <DIR> d-------- C:\WINDOWS\system32\4026c
2008-06-01 08:20 . 2008-06-01 12:33 <DIR> d--hs---- C:\WINDOWS\Sm9lIEJyb2NrbWFu
2008-06-01 08:20 . 2008-06-01 16:09 <DIR> d-------- C:\Temp
2008-06-01 08:20 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-05 20:46 . 2008-05-05 20:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 17:33 --------- d-----w C:\Program Files\UltraVNC
2008-05-31 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-29 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-29 02:14 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-29 02:13 --------- d-----w C:\Program Files\Avanquest update
2008-04-29 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 02:10 24,192 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-29 02:10 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-04-29 02:10 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2008-04-06 20:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_13.57.23.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:54:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 22:44:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 15:22 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2006-09-14 17:43:26 6144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 13:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 15:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 CrystalCpuInfo;CrystalCpuInfo;C:\Program Files\OCCT\CpuInfo.sys [2003-11-25 08:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 06:46:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 06:05:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 6:06:31
ComboFix-quarantined-files.txt 2008-06-03 11:06:28
ComboFix2.txt 2008-06-02 22:46:53
ComboFix3.txt 2008-06-01 21:18:27
ComboFix4.txt 2008-06-01 21:11:47
ComboFix5.txt 2008-06-01 18:57:36

Pre-Run: 81,657,319,424 bytes free
Post-Run: 81,703,317,504 bytes free

109 --- E O F --- 2008-05-16 08:01:00

HiJack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:16 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.100:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Office Outlook View Control) - http://activex.microsoft.com/activex/contr...ce/outlctlx.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {449B3922-8132-4764-ADA3-06D654066B9D} (software\DX8100\WebDVR) - http://208.44.158.114/DX8100WebDVR.CAB
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://72.21.231.73/tsweb/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O16 - DPF: {EB3921F9-5FEA-4F03-9B53-6DD0B0FA4F59} (DX8100WebDVRLogoin Control) - http://208.44.158.114/DX8100WebDVRLogoin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{953AD55D-65CA-4831-8FE0-BBB123476568}: NameServer = 68.87.77.130,68.87.72.130
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4984 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 03 June 2008 - 07:46 AM

Hi,

Can you perform the step again please? Because the folders are still there. Are you sure you included Folder:: on top in the CFScript?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 brockj

brockj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 June 2008 - 07:50 AM

I am pretty sure I did, but I was a bit sleepy this morning when I tried it! Will do it again as soon as I get home from work (about 9 hours from now :thumbsup: )

Thanks!!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 03 June 2008 - 07:56 AM

Ok, I read your reply later :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 brockj

brockj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 June 2008 - 04:51 PM

Ok, hopefully I got it this time!!

ComboFix:
ComboFix 08-06-01.2 - Administrator 2008-06-03 16:49:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Sm9lIEJyb2NrbWFu
C:\WINDOWS\system32\4026c
C:\WINDOWS\system32\Dev3
C:\WINDOWS\system32\evd2
C:\WINDOWS\system32\ITMP
C:\WINDOWS\system32\Ucom1
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\wIE6
C:\WINDOWS\system32\wIE6\fetchdll33.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-01 11:00 . 2008-06-01 11:00 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-01 08:20 . 2008-06-01 16:09 <DIR> d-------- C:\Temp
2008-06-01 08:20 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-05 20:46 . 2008-05-05 20:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 17:33 --------- d-----w C:\Program Files\UltraVNC
2008-05-31 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-29 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-29 02:14 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-29 02:13 --------- d-----w C:\Program Files\Avanquest update
2008-04-29 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 02:10 24,192 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-29 02:10 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-04-29 02:10 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2008-04-06 20:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-04-06 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_13.57.23.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:54:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 22:44:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 15:22 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2006-09-14 17:43:26 6144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 13:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 13:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 15:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 CrystalCpuInfo;CrystalCpuInfo;C:\Program Files\OCCT\CpuInfo.sys [2003-11-25 08:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 06:46:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 16:49:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 16:50:01
ComboFix-quarantined-files.txt 2008-06-03 21:49:52
ComboFix2.txt 2008-06-03 11:06:32
ComboFix3.txt 2008-06-02 22:46:53
ComboFix4.txt 2008-06-01 21:18:27
ComboFix5.txt 2008-06-01 21:11:47

Pre-Run: 81,690,562,560 bytes free
Post-Run: 81,681,764,352 bytes free

113 --- E O F --- 2008-05-16 08:01:00


HiJack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:21 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.100:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-21-1006533679-1146573019-2186368979-1109\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Office Outlook View Control) - http://activex.microsoft.com/activex/contr...ce/outlctlx.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {449B3922-8132-4764-ADA3-06D654066B9D} (software\DX8100\WebDVR) - http://208.44.158.114/DX8100WebDVR.CAB
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://72.21.231.73/tsweb/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-ps...bex/ieatgpc.cab
O16 - DPF: {EB3921F9-5FEA-4F03-9B53-6DD0B0FA4F59} (DX8100WebDVRLogoin Control) - http://208.44.158.114/DX8100WebDVRLogoin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{953AD55D-65CA-4831-8FE0-BBB123476568}: NameServer = 68.87.77.130,68.87.72.130
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5155 bytes


Thanks again!
Joe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 03 June 2008 - 04:57 PM

Hi,


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following:

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 brockj

brockj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 June 2008 - 06:32 PM

Followed through the steps, things seem to be working much better now. Ran an AV scan and all came back clean. I think I am good to go! Thank you sooo much for your help!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 04 June 2008 - 12:41 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:19 PM

Posted 09 June 2008 - 07:29 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users