Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spamming Spyware/malware


  • This topic is locked This topic is locked
8 replies to this topic

#1 serob

serob

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 02 October 2008 - 12:29 AM

Hi all,

Well seems that I have a problem with computers in my house.

My ISP is detecting spam coming out of my house. This PC is really slow, and closing applications suddenly.

I am attaching the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:25 PM, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\System32\PAStiSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
F:\WINDOWS\System32\HPZipm12.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\Skype\Plugin Manager\skypePM.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [My_Love] C:\Arquivos de programas\My_Love.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Registry Defender] "F:\Program Files\Registry Defender Trial\RegClean.exe"
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PCTAVApp] "F:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LangToLang TurkToEng - http://www.langtolang.com/browserMenu/TurkToEng.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143672972171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143672957702
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - F:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 6129 bytes\

Thanks in advanced

BC AdBot (Login to Remove)

 


#2 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:11:41 PM

Posted 05 October 2008 - 03:18 AM

Hi serob,

Welcome to Bleeping Computer.

You've a spamming trojan on board your computer.

This line showed it - O4 - HKLM\..\Run: [My_Love] C:\Arquivos de programas\My_Love.exe

Here's McAfee writeup on it - http://vil.nai.com/vil/content/v_142383.htm

The purpose of this file, according to McAfee, is to capture usernames and passwords and send out spam. According to your ISP, your computer has been sending out spam, which meant that your computer is compromised.

I would advise that you do the following immediately:
  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.




Step 1

There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition
AntiVir Free Edition

Please post back a new HijackThis log after installing the antivirus.

Step 2
  • Open HijackThis.
  • Click on the Open the Misc Tools section button.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please post this log in your next reply.
In your next reply, please post:
  • A new HijackThis log
  • Uninstall List

Posted Image

Done your best? Really?


#3 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 14 October 2008 - 12:30 PM

Thanks for your advice. Below the results:

HTJ

======================================================

WINDOWS\System32\notepad.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [My_Love] C:\Arquivos de programas\My_Love.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Registry Defender] "F:\Program Files\Registry Defender Trial\RegClean.exe"
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PCTAVApp] "F:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LangToLang TurkToEng - http://www.langtolang.com/browserMenu/TurkToEng.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143672972171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143672957702
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - F:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 6745 bytes

======================================================

Uninstall

======================================================

Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Apple Software Update
avast! Antivirus
CD Indicadores Municipales
CIF USB CAMERA
Compatibility Pack for the 2007 Office system
DYMO Label Software
Enable S3 for USB Device
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB916089)
Hotfix for Windows XP (KB926239)
hp officejet 6100 series
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
iTunes
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Mensajería Web
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Small Business Edition 2003
Mozilla Firefox (3.0.3)
MSN Music Assistant
PhotoFiltre
Pixie 1.4.1
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
SketchUp 5
Skype™ 3.6
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Uptown Engine
VectorWorks 11
VIA Audio Driver Setup Program
VideoCAM GF112
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 2

======================================================

#4 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:11:41 PM

Posted 16 October 2008 - 06:34 AM

Hi serob,

Step 1

Please disable Spybot Teatimer temporarily as it may interfere with the fixes.
  • Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  • Click on Mode > Advanced Mode. When it prompts you, click Yes.
  • On the left hand side, click on Tools.
  • Check (tick) this box if it is not yet ticked: Resident.
  • You will notice that Resident is now added under Tools. Click on Resident.
  • Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  • Exit Spybot Search & Destroy.
  • Restart your computer for the changes to take effect.
Step 2

Please disable avast! Antivirus temporarily as it may interfere with the fixes.
  • Right click on avast! Antivirus icon near the clock ( Posted Image ) and select Stop On-Access Protection.
  • Right click on avast! Antivirus icon and select Program Settings.
  • On the left, click on Troubleshooting.
  • Uncheck (untick) this box - Disable avast! self-defense module.
  • Click OK to apply the settings.
Step 3

Please download Combofix from one of these locations:

Link 1
Link 2
Link 3

Save it to your desktop.
  • Double click on ComboFix.exe & follow the prompts.

  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Posted Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:
  • Combofix log (F:\Combofix.txt)
  • A new HijackThis log

Posted Image

Done your best? Really?


#5 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 21 October 2008 - 07:11 PM

Hi,


Here is the log:

ComboFix 08-10-19.04 - Gaby 2008-10-21 17:54:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.92 [GMT -6:00]
Running from: F:\Documents and Settings\Gaby\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\Gaby\Cookies\hpothb07.dat
F:\Documents and Settings\Gaby\Cookies\hpothb07.tif
F:\Documents and Settings\Gaby\Local Settings\Temporary Internet Files\hpothb07.dat
F:\Documents and Settings\Gaby\Local Settings\Temporary Internet Files\hpothb07.tif
F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\hpothb07.dat
F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\hpothb07.tif
F:\RECYCLER\Autorizacion Bco Interfin.tif
F:\RECYCLER\Banca #2.jpg
F:\RECYCLER\Banca.jpg
F:\RECYCLER\Bank Of America Firma.tif
F:\RECYCLER\Bodega.jpg
F:\RECYCLER\Cedula Varin.tif
F:\RECYCLER\Certificado Medico USA.jpg
F:\RECYCLER\Compu Robert.jpg
F:\RECYCLER\Cotizacion Porton.jpg
F:\RECYCLER\Desarrollo del Pacifico.tif
F:\RECYCLER\Desarrollo.jpg
F:\RECYCLER\Doc Varo#1.tif
F:\RECYCLER\Documento Automercado 20-07-06.tif
F:\RECYCLER\Envio TNT Agosto,07.jpg
F:\RECYCLER\Examen Ana.jpg
F:\RECYCLER\hpothb07.dat
F:\RECYCLER\hpothb07.tif
F:\RECYCLER\ILS Rwy 28R CAT II&III.jpg
F:\RECYCLER\Musica El amor es la razon.mid
F:\RECYCLER\nutricion_logo.gif
F:\RECYCLER\nutricion_logo[1].gif
F:\RECYCLER\Pago Mapache Oct,07.tif
F:\RECYCLER\pasaporte.bmp
F:\RECYCLER\Pepi Indicaciones.tif
F:\RECYCLER\Pijama.jpg
F:\RECYCLER\Plantas Doina 2
F:\RECYCLER\sabanas-divertidas-pareja-desnudos.jpg
F:\RECYCLER\Scan0001.tif
F:\RECYCLER\Scan0002.tif
F:\RECYCLER\Scan0003.tif
F:\RECYCLER\Scan0004.tif
F:\RECYCLER\Scan0005.tif
F:\RECYCLER\Scan0006.tif
F:\RECYCLER\Scan0007.tif
F:\RECYCLER\Scan0008.tif
F:\RECYCLER\Scan0009.tif
F:\RECYCLER\Scan0010.tif
F:\RECYCLER\Scan0011.tif
F:\RECYCLER\Scan0012.tif
F:\RECYCLER\Scan0015.tif
F:\RECYCLER\Scan0017.tif
F:\RECYCLER\Scan0018.tif
F:\RECYCLER\Serv Sea Bird # 3 Dic.jpg
F:\RECYCLER\Servic Sea Bird # 3 Nov.jpg
F:\RECYCLER\Servic Sea Bird # 3 SET.jpg
F:\RECYCLER\Sillas.jpg
F:\RECYCLER\SORPRESA.jpg
F:\RECYCLER\T3.tif
F:\RECYCLER\Tarjeta 2005.tif
F:\RECYCLER\Thanksgiving.jpg
F:\RECYCLER\Tito1.tif
F:\RECYCLER\TNT 05-09-06
F:\RECYCLER\TNT 05-09-06.tif
F:\RECYCLER\Torre de apartamento Vista al lago.jpg
F:\RECYCLER\Veritas.jpg
F:\WINDOWS\IE4 Error Log.txt
F:\WINDOWS\system32\dbxDgrevCheck.dll
F:\WINDOWS\system32\UpMedia
F:\WINDOWS\system32\UpMedia\uninstallSE.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-15 14:10 . 2008-10-15 14:10 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-10-15 14:10 . 2008-10-15 14:10 1,409 --a------ F:\WINDOWS\QTFont.for
2008-10-07 09:44 . 2008-10-07 09:44 <DIR> d-------- F:\Documents and Settings\Administrator
2008-10-07 09:44 . 2007-10-19 22:15 0 --ah----- F:\Documents and Settings\Administrator\hpothb07.dat
2008-10-06 23:17 . 2008-10-06 23:17 <DIR> d-------- F:\Program Files\Alwil Software
2008-10-05 09:53 . 2008-10-06 21:21 <DIR> d-a------ F:\Documents and Settings\All Users\Application Data\TEMP
2008-10-05 09:51 . 2008-10-05 09:51 <DIR> d-------- F:\Program Files\Common Files\PC Tools
2008-10-01 23:23 . 2008-10-01 23:23 <DIR> d-------- F:\Program Files\Trend Micro
2008-10-01 23:09 . 2008-10-01 23:09 0 --a------ F:\WINDOWS\nsreg.dat
2008-10-01 23:04 . 2008-10-01 23:05 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2008-10-01 23:04 . 2008-10-05 09:52 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 23:00 . 2008-10-01 22:58 102,664 --a------ F:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-01 22:58 . 2008-10-01 23:00 <DIR> d-------- F:\Documents and Settings\Gaby\.housecall6.6
2008-10-01 22:56 . 2008-10-01 22:57 <DIR> d-------- F:\WINDOWS\BDOSCAN8
2008-09-29 21:56 . 2008-10-06 22:06 <DIR> d-------- F:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 19:06 --------- d-----w F:\Program Files\LimeWire
2008-10-02 08:11 --------- d-----w F:\Documents and Settings\Gaby\Application Data\Skype
2008-10-01 22:02 --------- d-----w F:\Documents and Settings\Gaby\Application Data\skypePM
2008-08-29 17:16 --------- d-----w F:\Program Files\Java
2008-08-25 16:12 --------- d-----w F:\Program Files\MSECache
2008-02-02 16:11 32 ----a-w F:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-10-20 04:15 164 ---ha-w F:\Documents and Settings\All Users\hpothb07.dat
2007-10-20 04:15 161 ---ha-w F:\Documents and Settings\Gaby\hpothb07.dat
2007-10-20 04:15 0 ---ha-w F:\Documents and Settings\Default User\hpothb07.dat
2007-10-20 04:15 0 ---ha-w F:\Documents and Settings\Casa\hpothb07.dat
2007-03-06 00:50 9,878,506 ----a-w F:\Program Files\Scan0002.tif
2007-03-01 18:55 374 ----a-w F:\Documents and Settings\Gaby\Application Data\internaldb6334.dat
2007-03-01 18:16 18,432 ----a-w F:\Documents and Settings\Gaby\Application Data\internaldb41.dat
2007-03-01 18:13 538 ----a-w F:\Documents and Settings\Gaby\Application Data\internaldb8467.dat
2006-10-19 21:27 526 ---ha-w F:\Documents and Settings\NetworkService\hpothb07.dat
2006-09-13 04:41 0 ---ha-w F:\Documents and Settings\LocalService\hpothb07.dat
2006-09-13 04:32 0 ---ha-w F:\Documents and Settings\Gaby\Application Data\hpothb07.dat
.

------- Sigcheck -------

2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 F:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2001-08-23 06:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a F:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll
2002-08-29 04:41 599040 f3587750a7481dccbea13d473a0700be F:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2002-08-29 04:41 599040 f3587750a7481dccbea13d473a0700be F:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-08-04 01:56 656384 c0823fc5469663ba63e7db88f9919d70 F:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 F:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\System32\ctfmon.exe" [2002-08-29 13312]
"msnmsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-01-10 385024]
"avast!"="F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 13312]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-18 113664]
hpoddt01.exe.lnk - F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
officejet 6100.lnk - F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-06 147456]

R1 aswSP;avast! Self Protection;F:\WINDOWS\System32\drivers\aswSP.sys [2008-07-19 78416]
R3 ati2mpaa;ati2mpaa;F:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
R3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);F:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 49920]
S2 aswFsBlk;aswFsBlk;F:\WINDOWS\System32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 PAC207;VideoCAM GF112;F:\WINDOWS\System32\DRIVERS\pfc027.sys [2005-04-08 162176]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2006-10-29 F:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1143697002.job
- F:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-10-21 F:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1143697338.job
- F:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-10-21 F:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1161125162.job
- F:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Registry Defender - F:\Program Files\Registry Defender Trial\RegClean.exe
HKCU-Run-updateMgr - F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-PCTAVApp - F:\Program Files\PC Tools AntiVirus\PCTAV.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - F:\Documents and Settings\Gaby\Application Data\Mozilla\Firefox\Profiles\29fybq03.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 17:57:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-21 18:04:08
ComboFix-quarantined-files.txt 2008-10-22 00:03:53

Pre-Run: 64,598,581,248 bytes free
Post-Run: 65,181,093,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
F:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

187 --- E O F --- 2008-10-15 09:05:21

===============================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:19 PM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\System32\PAStiSvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\WINDOWS\System32\HPZipm12.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LangToLang TurkToEng - http://www.langtolang.com/browserMenu/TurkToEng.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .m4a: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143672972171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143672957702
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - F:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 6358 bytes

--------------------------------
Thanks for your guide!

#6 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:11:41 PM

Posted 22 October 2008 - 09:53 AM

Hi serob,

Please go to Virus Total or Jotti and upload F:\Documents and Settings\Gaby\Application Data\internaldb6334.dat for scanning.

For Virus Total
  • Please copy and paste F:\Documents and Settings\Gaby\Application Data\internaldb6334.dat in the text box next to the Browse button.
  • Click on Send File.
For Jotti
  • Please copy and paste F:\Documents and Settings\Gaby\Application Data\internaldb6334.dat in the text box next to the Browse button.
  • Click on Submit.

Posted Image

Done your best? Really?


#7 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 27 October 2008 - 11:32 AM

ndmmxiaomayi

Thanks for your help I had my connection to internet suspended even when i disconnected my pc so I decided to format it and start over with protection from the adviced antivirus, everything's fine now.

Thanks you may close this topic I appreciate your time and effort you guys rock!

Serob

#8 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:11:41 PM

Posted 28 October 2008 - 07:17 AM

Good luck with the new PC! :thumbsup:

Here are some ways to prevent an infection again.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:
  • Go to Start > Control Panel > Automatic Updates
  • Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  • Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  • Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.
  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.
Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 6
  • Open Internet Explorer. Click on Tools > Options.
  • Click on the Security tab.
  • Click on the Internet icon.
  • Click on the Custom Level button.
  • Under Download signed ActiveX controls, select Prompt.
  • Under Download unsigned ActiveX controls, select Disable.
  • Under Initialize and script ActiveX controls not marked as safe, select Disable.
  • Under Installation of desktop items, select Prompt.
  • Under Launching programs and files in an IFRAME, select Prompt.
  • Under Navigate sub-frames across different domains, select Prompt.
  • Under Allow paste operations via script, select Disable.
  • Click OK to apply these settings.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Press OK to exit the Internet Properties page.
For a pictorial guide, please refer to this article.

For Internet Explorer 7

If you intend to upgrade to Internet Explorer 7, please read this article to configure Internet Explorer 7 properly.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection
  • Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • Spyware Blaster
    SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

    You can download SpywareBlaster from Javacool.

    If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.

  • SpywareGuard
    Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.

    You can download SpywareGuard from Javacool.

    If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.

  • Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  • Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  • SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
Here are some more things to read about:

List of clean and infected download managers
Securing Skype
Greater email safety
Phishing - what is it?
Configuring Outlook Express
80 Super Security Tips
Posted Image

Done your best? Really?


#9 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:11:41 PM

Posted 28 October 2008 - 07:19 AM

As this topic appears to be solved... it is now closed.

If you need it re-opened, please send a message to a member of the moderating team. This applies to the topic starter.

Everyone else please start a new topic.
Posted Image

Done your best? Really?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users