Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Disk Access: WinTV, zlclient, vsmon, rasphone.pbk, sessionstore-1.js


  • This topic is locked This topic is locked
14 replies to this topic

#1 paultomasi

paultomasi

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 27 December 2008 - 04:41 PM

My hard disk drive is constantly being accessed. This interferes with my WinTV which already gobbles up between 27% and 45% of my CPU time.

In Filemon, the following processes are constantly accessing my hard disk drive

WinTV.exe
WinPatrol.exe
zlclient.exe
vsmon.exe
svchost.exe
csrss.exe
lsass.exe

There are issues with rasphone.pbk and errors with csrss.exe (Attributes: ERROR) and sessionstore.js seems to get corrupt according to System | Event Properties. I also get DCOM timeouts and BACKUP.RDB is reportedly corrupt and unreadable.

I am unconvinced my PC is clean and I seek help from this forum to identify possible malware infection. I have ran HijackThis. Please see below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47:58, on 27/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paul\Desktop\Filemon.exe
C:\install\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 255.255.255.255 broadcasthost
O1 - Hosts: ::1 localhost
O1 - Hosts: 216.34.181.45 s # slashdot.org
O1 - Hosts: 216.239.39.99 g # google.com
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R340 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S1AD.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-21-1177238915-602162358-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1177238915-602162358-725345543-1003\..\Run: [EPSON Stylus Photo R340 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S1AD.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S45.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S45.tmp" /EF "HKCU" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191672037265
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191671767265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5558 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:01 AM

Posted 07 January 2009 - 03:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system, please.
Please Hold on it may take us a day or so to get back with you.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:01 AM

Posted 12 January 2009 - 09:38 AM

Due to the lack of feedback, this Topic is now closed.

If you still have problems, please Start a new topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:01 AM

Posted 13 January 2009 - 08:37 PM

Thread reopened at members request.

Edited by KoanYorel, 13 January 2009 - 08:38 PM.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 January 2009 - 09:18 PM

Dear Koan Yorel

Thank you for your assistance and for re-opening this thread which due to ongoing problems with my PC I was unable to respond to much sooner.

By way of information, I offer the following 'scattered' diary of events leading up to my problems.

*** XP SP3 was installed (prior to re-installing XP)
*** MS ReadyState was installed
*** MS ReadyState was uninstalled but still shows presence in Add/Remove Programs - unable to remove
*** .NET was removed
*** IIS was removed
*** Most Macromedia MX applications Uninstalled
*** Had lots of problems with DCOM
*** Re-installed XP over original installation
*** Re-installed XP SP2 (XP shows: Build 2600.xpsp2_rtm.040803-2158 (Service Pack 2))
*** Re-installed WinTV
*** Disabled file indexing
*** When opening Windows Explorer or accessing folders from drop-down open/save dialog boxes, system takes about 5 minutes to refresh folders/files
*** Not yet re-installed XP SP3
*** Problems with WIA (probably scanner related)
*** Not yet re-installed applications
*** IE / Firefox asks to enable java - Internet properties reports Java already enabled
*** Macromedia Dreamweaver uninstalled but still shows presence in this file
*** Macromedia Extension Manager uninstalled but still shows presence in this file
*** Numerous Userenv (Application Event ID 1517 & 1524) errors (in Event Viewer)
*** COM+ (Application Event ID 4609) errors
*** Numerous {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register with DCOM (System Event ID 10010) errors
*** Numerous "Application popup: Windows - Corrupt File: C:\WINDOWS\Internet Logs\BACKUP.RDB is corrupt and unreadable" (System Event ID 26) errors
*** Continuous "You have...JavaScript turned off...or old version of...flash" messege in IE / FF despite repeated update
*** Uninstalled Java
*** Uninstalled Flash
*** Uninstalled ActiveX
*** Disabled all browser add-ons
***
*** Main concern at present: Possible Malware, viral infection
*** Installed and ran Avast (thorough scan): No issues

UPDATE:

*** Uninstalled Avast.
*** Installed Antivir - ISSUES FOUND however, not sure how reliable this is
*** Issues found:
*** tp.exe = BDS/SmallX.VX back-door
*** Spyhunter1.zip = GEN/PwdZIP
*** C:\System Volume Information\...\A0017786.exe = BDS/SmallX.VX back-door
*** C:\Windows\System32\accept.txt = TR/Dropper.Gen trojan
*** All quarantined


Output from DDS performed BEFORE update information above.

I have also attached a compressed copy of attach.txt

I await further instructions.

Yours faithfully

P.T.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Paul at 11:38:15.65 on 10/01/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title =
uInternet Settings,ProxyOverride = *.local
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre1.6.0_10\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo R340 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaje.exe /fu "c:\windows\temp\E_S1AD.tmp" /EF "HKCU"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaje.exe /fu "c:\windows\temp\E_S45.tmp" /EF "HKCU"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
mPolicies-system: HideFastUserSwitching = 1 (0x1)
Notify: !SASWinLogon -
Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\92zvhkbk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-10 00:28 30,080 a------- c:\windows\system32\drivers\RKHit.sys
2009-01-10 00:21 42 a------- c:\windows\system32\AK083E209605E394C.lie
2008-12-31 20:41 <DIR> --d----- C:\WEBFILE
2008-12-31 13:53 410,976 a------- c:\windows\system32\deploytk.dll
2008-12-30 09:08 87,936 a------- c:\windows\7-zip.chm
2008-12-30 09:08 527,360 a------- c:\windows\7za.exe
2008-12-28 01:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-28 01:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-28 01:45 <DIR> --d----- c:\docume~1\paul\applic~1\SUPERAntiSpyware.com
2008-12-28 01:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-24 07:58 <DIR> --d----- c:\documents and settings\paul\.housecall6.6
2008-12-23 02:11 616,762 a------- c:\windows\system32\EPSON ON EDIMAX
2008-12-22 03:56 4 a------- c:\windows\system32\catroot2
2008-12-22 01:18 0 a------- c:\windows\exctrlst.INI
2008-12-21 01:52 <DIR> --d----- c:\program files\WinPcap
2008-12-21 01:52 <DIR> --d----- c:\program files\Nmap
2008-12-19 23:06 <DIR> --d----- c:\program files\WinTV
2008-12-19 19:29 <DIR> --d----- c:\program files\msn gaming zone
2008-12-19 19:19 96,768 -c------ c:\windows\system32\dllcache\dpcdll.dll
2008-12-19 19:19 380,416 -------- c:\windows\system32\irprops.cpl
2008-12-19 19:19 162,304 ac------ c:\windows\system32\dllcache\wuaucpl.cpl
2008-12-19 19:19 162,304 a------- c:\windows\system32\wuaucpl.cpl
2008-12-19 19:19 162,304 a------- c:\windows\system32\wuaucpl..........old.cpl
2008-12-19 19:17 120,320 ac------ c:\windows\system32\dllcache\wuweb.dll
2008-12-19 19:17 430,592 ac------ c:\windows\system32\dllcache\wuapi.dll
2008-12-19 19:16 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-19 19:10 19,528 a------- c:\windows\002875_.tmp
2008-12-19 19:10 <DIR> --d----- c:\windows\system32\ReinstallBackups
2008-12-19 03:20 <DIR> --d----- c:\docume~1\paul\applic~1\WinPatrol
2008-12-19 03:20 <DIR> --d----- c:\program files\BillP Studios
2008-12-18 06:41 <DIR> --d----- C:\Backup ----
2008-12-16 20:30 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2008-12-16 20:30 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2008-12-16 20:30 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2008-12-16 20:30 17,408 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2008-12-16 20:30 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2008-12-16 20:30 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2008-12-16 20:30 34,890 ac------ c:\windows\system32\dllcache\wlandrv2.sys
2008-12-16 20:30 771,581 ac------ c:\windows\system32\dllcache\winacisa.sys
2008-12-16 20:30 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2008-12-16 20:30 53,760 ac------ c:\windows\system32\dllcache\wiamsmud.dll
2008-12-16 20:30 701,386 ac------ c:\windows\system32\dllcache\wdhaalba.sys
2008-12-16 20:30 35,871 ac------ c:\windows\system32\dllcache\wbfirdma.sys
2008-12-16 20:28 252,032 ac------ c:\windows\system32\dllcache\sis300iv.dll
2008-12-16 20:27 1,738,496 ac------ c:\windows\system32\dllcache\nv4.dll
2008-12-16 20:26 16,128 ac------ c:\windows\system32\dllcache\modemcsa.sys
2008-12-16 20:25 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll
2008-12-16 20:24 45,568 ac------ c:\windows\system32\dllcache\esunib.dll
2008-12-16 20:23 9,344 ac------ c:\windows\system32\dllcache\compbatt.sys
2008-12-16 20:22 266,368 ac------ c:\windows\system32\dllcache\ati2draa.dll
2008-12-16 07:33 113,222 ac------ c:\windows\system32\dllcache\zoneclim.dll
2008-12-16 07:32 32,339 ac------ c:\windows\system32\dllcache\uniansi.dll
2008-12-16 07:31 126,976 ac------ c:\windows\system32\dllcache\mshearts.exe
2008-12-16 07:30 132,608 ac------ c:\windows\system32\dllcache\fxsclntr.dll
2008-12-16 07:29 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2008-12-16 07:22 61,440 ac------ c:\windows\system32\dllcache\icwres.dll
2008-12-16 07:22 40,960 ac------ c:\windows\system32\dllcache\trialoc.dll
2008-12-16 07:22 73,728 ac------ c:\windows\system32\dllcache\icwtutor.exe
2008-12-16 07:15 13,608 a----r-- c:\windows\SET7C.tmp
2008-12-16 07:15 1,085,913 a----r-- c:\windows\SET71.tmp
2008-12-16 07:12 536,403,968 a------- c:\windows\MEMORY.DMP
2008-12-15 22:17 11,776 ac------ c:\windows\system32\dllcache\bdasup.sys
2008-12-15 22:17 11,776 a------- c:\windows\system32\drivers\BdaSup.sys
2008-12-15 22:13 13,608 a----r-- c:\windows\SET79.tmp
2008-12-15 22:13 1,085,913 a----r-- c:\windows\SET70.tmp
2008-12-15 14:04 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2008-12-15 14:03 6,400 a------- c:\windows\system32\drivers\splitter.sys
2008-12-15 13:48 13,608 a----r-- c:\windows\SET78.tmp
2008-12-15 13:48 1,085,913 a----r-- c:\windows\SET6F.tmp
2008-12-15 13:46 65,536 a------- c:\windows\DUMP94ae.tmp
2008-12-15 12:52 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2008-12-15 12:52 749 a---hr-- c:\windows\WindowsShell.Manifest
2008-12-15 12:52 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-15 12:52 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2008-12-15 12:52 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2008-12-15 12:52 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2008-12-15 12:51 <DIR> --d----- c:\program files\Online Services
2008-12-15 12:50 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-12-15 12:49 183,808 a------- c:\windows\system32\accwiz.exe
2008-12-15 12:46 5,504 a------- c:\windows\system32\drivers\mstee.sys
2008-12-15 12:46 19,328 a------- c:\windows\system32\drivers\wstcodec.sys
2008-12-15 12:46 17,024 a------- c:\windows\system32\drivers\ccdecode.sys
2008-12-15 12:46 85,376 a------- c:\windows\system32\drivers\nabtsfec.sys
2008-12-15 12:45 90,624 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2008-12-15 12:45 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2008-12-15 12:45 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-15 12:45 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2008-12-15 12:45 35,328 ac------ c:\windows\system32\dllcache\psisload.dll
2008-12-15 12:45 90,624 a------- c:\windows\system32\kswdmcap.ax
2008-12-15 12:45 61,952 a------- c:\windows\system32\kstvtune.ax
2008-12-15 12:45 53,760 a------- c:\windows\system32\vfwwdm32.dll
2008-12-15 12:45 43,008 a------- c:\windows\system32\ksxbar.ax
2008-12-15 12:45 35,328 a------- c:\windows\system32\PsisLoad.dll
2008-12-15 12:45 57,472 a------- c:\windows\system32\drivers\redbook.sys
2008-12-15 12:43 66,591 ac------ c:\windows\system32\dllcache\el90xbc5.sys
2008-12-15 12:43 66,591 a------- c:\windows\system32\drivers\el90xbc5.sys
2008-12-15 12:19 4,096 a------- c:\windows\system32\ksuser.dll
2008-12-15 12:19 130,048 a------- c:\windows\system32\ksproxy.ax
2008-12-15 12:19 196,864 a------- c:\windows\system32\drivers\rdpdr.sys
2008-12-15 12:19 40,840 a------- c:\windows\system32\drivers\termdd.sys
2008-12-15 12:18 22,016 ac------ c:\windows\system32\dllcache\agt0408.dll
2008-12-15 12:18 19,968 ac------ c:\windows\system32\dllcache\agt040e.dll
2008-12-15 12:18 19,456 ac------ c:\windows\system32\dllcache\agt041f.dll
2008-12-15 12:18 19,456 ac------ c:\windows\system32\dllcache\agt0419.dll
2008-12-15 12:18 19,456 ac------ c:\windows\system32\dllcache\agt0415.dll
2008-12-15 12:18 19,456 ac------ c:\windows\system32\dllcache\agt0405.dll
2008-12-15 12:15 1,035,820 a------- c:\windows\setupapi.log.0.old
2008-12-13 14:06 <DIR> --d----- c:\program files\AVG
2008-12-13 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-01-10 03:43 20,467,744 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-10 03:43 244,124 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-16 07:26 86,665 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-16 07:21 22,704 ac------ c:\windows\system32\emptyregdb.dat
2008-12-15 13:35 65,536 a------- c:\windows\DUMPf184.tmp
2008-11-21 13:15 2,855 a------- c:\windows\system32\command.PIF
2008-01-16 15:52 5,120 ac-sh--- c:\program files\Thumbs.db

============= FINISH: 11:38:51.23 ===============

Attached Files



#6 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:01 AM

Posted 14 January 2009 - 12:53 AM

Hang on. Another will be coming to assist.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#7 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 14 January 2009 - 06:03 AM

Hi paultomasi,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.
I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
Posted Image

#8 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 14 January 2009 - 11:24 AM

TomK....

Than you for your speedy reply. I do not understand why this was passed on to you however, I am happy to continue to be guided by you.

#9 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:01 AM

Posted 14 January 2009 - 11:54 AM

TomK is one of our HJT techs that can help you.
I'm just a responder. You can trust them to help you.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#10 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 15 January 2009 - 08:31 AM

(Thank you koan yorel)

TomK....

Procedures carried out as instructed.

(1) ATF Cleaner successfully completed.
(2) Anti-Malware Log File successfully completed.
(3) Lop S&D Log File successfully completed.
(4) HijackThis Log File successfully completed.


According to my own untrained casual observations, there are no issues affecting my computer however, the following were dealt with 24 hours ago using Antivir:

tp.exe = BDS/SmallX.VX back-door
Spyhunter1.zip = GEN/PwdZIP
C:\System Volume Information\...\A0017786.exe = BDS/SmallX.VX back-door
C:\Windows\System32\accept.txt = TR/Dropper.Gen trojan

Whether any of these were genuine threats and whether any of these contributed to my problems I cannot tell for sure.


===============================================================================
Malwarebytes' Anti-Malware Log File
===============================================================================

Malwarebytes' Anti-Malware 1.32
Database version: 1653
Windows 5.1.2600 Service Pack 2

14/01/2009 17:05:28
mbam-log-2009-01-14 (17-05-28).txt

Scan type: Quick Scan
Objects scanned: 57094
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


===============================================================================
Lop S&D Log File
===============================================================================

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

( : )
USER : Paul ( Administrator )

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 14/01/2009|17:20 )

--------------------\\ Listing folders in APPLIC~1

[13/11/2008|21:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
[13/11/2008|21:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\Business Logic
[13/11/2008|21:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[13/11/2008|21:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia
[24/12/2008|00:48] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[13/11/2008|21:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla

[10/01/2009|02:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[14/01/2009|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[30/11/2008|14:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\EA
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\EPSON
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InterVideo
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\iTripoli
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\LGMOBILEAX
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Maxtor
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
[14/12/2008|00:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PrevxCSI
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SnapStream
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
[28/12/2008|01:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\UDL
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[13/11/2008|21:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller


[15/12/2008|12:56] C:\DOCUME~1\DEFAUL~1\APPLIC~1\DivX
[13/11/2008|21:20] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[24/12/2008|00:48] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[24/12/2008|00:48] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[10/01/2009|03:07] C:\DOCUME~1\Paul\APPLIC~1\Adobe
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Ahead
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Dev-Cpp
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\DivX
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\EPSON
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\GlobalSCAPE
[14/12/2008|10:26] C:\DOCUME~1\Paul\APPLIC~1\Google
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Help
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Identities
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Incredible Ink
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\iTripoli
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Jasc Software Inc
[09/12/2008|11:40] C:\DOCUME~1\Paul\APPLIC~1\KillProcess
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\LG Electronics
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Macromedia
[14/12/2008|00:32] C:\DOCUME~1\Paul\APPLIC~1\MailWasherFree
[14/01/2009|16:52] C:\DOCUME~1\Paul\APPLIC~1\Malwarebytes
[16/12/2008|08:02] C:\DOCUME~1\Paul\APPLIC~1\Microsoft
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Microsoft Web Folders
[14/12/2008|23:11] C:\DOCUME~1\Paul\APPLIC~1\Mozilla
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Notepad++
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Nvu
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\OfficeUpdate12
[05/12/2008|02:18] C:\DOCUME~1\Paul\APPLIC~1\Red Chair Software
[13/11/2008|21:20] C:\DOCUME~1\Paul\APPLIC~1\Sun
[28/12/2008|01:45] C:\DOCUME~1\Paul\APPLIC~1\SUPERAntiSpyware.com
[13/11/2008|21:21] C:\DOCUME~1\Paul\APPLIC~1\Symantec
[19/11/2008|13:09] C:\DOCUME~1\Paul\APPLIC~1\U3
[13/11/2008|21:21] C:\DOCUME~1\Paul\APPLIC~1\Ulead Systems
[13/11/2008|21:21] C:\DOCUME~1\Paul\APPLIC~1\VideoReDoPlus
[19/12/2008|03:20] C:\DOCUME~1\Paul\APPLIC~1\WinPatrol

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[22/12/2008 12:37][--ah-----] C:\WINDOWS\tasks\SA.DAT
[23/08/2001 12:00][---h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[13/11/2008|21:21] C:\Program Files\3GP Player
[20/11/2008|04:08] C:\Program Files\Active Ports
[10/01/2009|02:49] C:\Program Files\Adobe
[13/01/2009|02:45] C:\Program Files\Alwil Software
[13/12/2008|14:06] C:\Program Files\AVG
[14/01/2009|00:36] C:\Program Files\Avira
[13/11/2008|21:23] C:\Program Files\AvRack
[13/11/2008|21:23] C:\Program Files\BBC BASIC for Windows
[19/12/2008|03:20] C:\Program Files\BillP Studios
[03/01/2009|13:39] C:\Program Files\Cakewalk Home Studio 9
[13/11/2008|21:23] C:\Program Files\CDex_170b2
[13/11/2008|21:23] C:\Program Files\Cedelia
[10/01/2009|03:06] C:\Program Files\Common Files
[19/11/2008|06:58] C:\Program Files\Compaq
[13/11/2008|21:24] C:\Program Files\CrazyFrog2
[13/11/2008|21:24] C:\Program Files\CyberLink
[13/11/2008|21:24] C:\Program Files\Devnz
[13/11/2008|21:24] C:\Program Files\DivX
[13/11/2008|21:24] C:\Program Files\DOSBox
[13/11/2008|21:24] C:\Program Files\DVD Decrypter
[13/11/2008|21:24] C:\Program Files\DVD Shrink
[13/11/2008|21:24] C:\Program Files\EPSON
[15/11/2008|13:26] C:\Program Files\EPSON Print CD
[17/12/2008|11:13] C:\Program Files\FlexHEX
[13/11/2008|21:24] C:\Program Files\Ghostgum
[13/11/2008|21:24] C:\Program Files\GlobalSCAPE
[17/12/2008|11:57] C:\Program Files\Google
[13/11/2008|21:24] C:\Program Files\GSpot
[20/12/2008|17:10] C:\Program Files\InstallShield Installation Information
[22/11/2008|18:13] C:\Program Files\InterMute
[19/12/2008|20:16] C:\Program Files\Internet Explorer
[17/12/2008|11:24] C:\Program Files\iPod
[13/11/2008|21:24] C:\Program Files\iTripoli
[13/11/2008|21:25] C:\Program Files\Jasc Software Inc
[10/01/2009|02:08] C:\Program Files\Java
[09/12/2008|03:48] C:\Program Files\KillProcess
[13/11/2008|21:25] C:\Program Files\LG PC Suite
[13/11/2008|21:25] C:\Program Files\Macromedia
[21/11/2008|22:29] C:\Program Files\MagicISO
[14/01/2009|16:52] C:\Program Files\Malwarebytes' Anti-Malware
[13/11/2008|21:26] C:\Program Files\MemoriesOnTV3
[19/12/2008|19:19] C:\Program Files\Messenger
[13/11/2008|21:26] C:\Program Files\Messenger Plus! Live
[13/11/2008|21:26] C:\Program Files\MFP Server Utilities
[13/11/2008|21:26] C:\Program Files\Microsoft ActiveSync
[13/11/2008|21:26] C:\Program Files\microsoft frontpage
[13/11/2008|21:26] C:\Program Files\Microsoft Money
[13/11/2008|21:26] C:\Program Files\Microsoft Office
[13/11/2008|21:26] C:\Program Files\Microsoft Picture It! Express
[13/11/2008|21:26] C:\Program Files\Microsoft SDKs
[13/11/2008|21:26] C:\Program Files\Microsoft Visual Basic 2005 Power Packs
[13/11/2008|21:26] C:\Program Files\Microsoft Visual Studio
[13/11/2008|21:26] C:\Program Files\Microsoft Visual Studio 8
[13/11/2008|21:27] C:\Program Files\Microsoft Visual Studio 9.0
[13/11/2008|21:27] C:\Program Files\Microsoft.NET
[19/12/2008|19:19] C:\Program Files\Movie Maker
[12/01/2009|22:32] C:\Program Files\Mozilla Firefox
[13/11/2008|21:27] C:\Program Files\MSECache
[13/11/2008|21:27] C:\Program Files\msn
[19/12/2008|19:29] C:\Program Files\msn gaming zone
[13/11/2008|21:27] C:\Program Files\Mustek 1200 UB PLUS
[13/11/2008|21:27] C:\Program Files\Nero
[19/12/2008|19:16] C:\Program Files\NetMeeting
[21/12/2008|01:53] C:\Program Files\Nmap
[13/11/2008|21:27] C:\Program Files\Notepad++
[13/11/2008|21:27] C:\Program Files\NVIDIA
[13/11/2008|21:27] C:\Program Files\Nvu
[15/12/2008|12:51] C:\Program Files\Online Services
[19/12/2008|19:15] C:\Program Files\Outlook Express
[13/11/2008|21:27] C:\Program Files\Philips SA111X MP3 Player
[13/11/2008|21:27] C:\Program Files\Photo Viewer
[13/11/2008|21:27] C:\Program Files\PMP Transcoding Tool
[13/11/2008|21:27] C:\Program Files\PowerDVD
[13/11/2008|21:27] C:\Program Files\QuickTime
[13/11/2008|21:28] C:\Program Files\Realtek AC97
[05/12/2008|02:18] C:\Program Files\Red Chair Software
[13/11/2008|21:28] C:\Program Files\Reference Assemblies
[13/11/2008|21:28] C:\Program Files\SigmaTel
[13/11/2008|21:28] C:\Program Files\Spybot - Search & Destroy
[28/12/2008|01:45] C:\Program Files\SUPERAntiSpyware
[13/11/2008|21:28] C:\Program Files\SWiSHmax
[13/11/2008|21:28] C:\Program Files\Ulead Systems
[22/12/2008|04:08] C:\Program Files\Unlocker
[13/11/2008|21:31] C:\Program Files\Videoconverter2007
[13/11/2008|21:31] C:\Program Files\VideoReDoPlus
[13/11/2008|21:31] C:\Program Files\Western Digital Technologies
[13/11/2008|21:31] C:\Program Files\Windows Live
[19/12/2008|19:15] C:\Program Files\Windows Media Player
[19/12/2008|19:15] C:\Program Files\Windows NT
[22/12/2008|03:48] C:\Program Files\WindowsUpdate
[29/11/2008|23:25] C:\Program Files\WinHex
[21/12/2008|01:52] C:\Program Files\WinPcap
[13/11/2008|21:31] C:\Program Files\WinRAR
[13/01/2009|23:04] C:\Program Files\WinTV
[29/12/2008|18:18] C:\Program Files\WinZip
[13/11/2008|21:31] C:\Program Files\xerox
[13/11/2008|21:31] C:\Program Files\Xilisoft
[13/11/2008|21:31] C:\Program Files\ZionEdit-2.0.10
[13/11/2008|21:31] C:\Program Files\Zone Labs
[13/11/2008|21:31] C:\Program Files\ZTree

--------------------\\ Listing Folders in C:\Program Files\Common Files

[10/01/2009|03:38] C:\Program Files\Common Files\Adobe
[13/11/2008|21:24] C:\Program Files\Common Files\Ahead
[13/11/2008|21:24] C:\Program Files\Common Files\Designer
[11/01/2009|02:08] C:\Program Files\Common Files\InstallShield
[13/11/2008|21:24] C:\Program Files\Common Files\InterVideo
[13/11/2008|21:24] C:\Program Files\Common Files\IviSDK
[13/11/2008|21:24] C:\Program Files\Common Files\LightScribe
[13/11/2008|21:24] C:\Program Files\Common Files\Macromedia
[13/11/2008|21:24] C:\Program Files\Common Files\Microsoft Shared
[13/11/2008|21:24] C:\Program Files\Common Files\Motorola Shared
[13/11/2008|21:24] C:\Program Files\Common Files\MSSoap
[13/11/2008|21:24] C:\Program Files\Common Files\ODBC
[13/11/2008|21:24] C:\Program Files\Common Files\Services
[13/11/2008|21:24] C:\Program Files\Common Files\SpeechEngines
[19/12/2008|19:15] C:\Program Files\Common Files\System
[13/11/2008|21:24] C:\Program Files\Common Files\Ulead Systems
[13/11/2008|21:24] C:\Program Files\Common Files\WindowsLiveInstaller
[28/12/2008|01:44] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 26 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 17:23:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 114

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Paul\Favorites\HACKz\CrackDB.org - Games - R1.url
C:\DOCUME~1\Paul\Favorites\HACKz\CrackDB.org - search page.url


[F:2][D:0]-> C:\DOCUME~1\Paul\Cookies
[F:9][D:3]-> C:\DOCUME~1\Paul\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 14/01/2009|17:24 - Option : [1]

--------------------\\ Scan completed at 17:24:54


===============================================================================
HijackThis Log File
===============================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10:27, on 14/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\install\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 255.255.255.255 broadcasthost
O1 - Hosts: ::1 localhost
O1 - Hosts: 216.34.181.45 s # slashdot.org
O1 - Hosts: 216.239.39.99 g # google.com
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre1.6.0_10\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1177238915-602162358-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S45.tmp" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S45.tmp" /EF "HKCU" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191672037265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LPG - Unknown owner - C:\DOCUME~1\Paul\LOCALS~1\Temp\LPG.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4882 bytes

#11 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 15 January 2009 - 12:23 PM

paultomasi,

tp.exe and C:\Windows\System32\accept.txt could be false positives. I cannot tell. However to be safe you should know:

Your computer may have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

C:\DOCUME~1\Paul\Favorites\HACKz\CrackDB.org - Games - R1.url
C:\DOCUME~1\Paul\Favorites\HACKz\CrackDB.org - search page.url

Just visiting these pages can account for a variety of infections. It's definitely not a good sign to have these as your favorites.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon. Posted Image
  • Under Temporary Internet Files, click the Settings... button
  • click the Delete Files button.
  • There are three options in the window to clear the cache - Leave all 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Settings
  • Click OK to leave the Java Control Panel.
  • Please open HijackThis and run Do a system scan only
  • Check the boxes next to ONLY the entries listed below(if present):
    • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
      O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
      O23 - Service: LPG - Unknown owner - C:\DOCUME~1\Paul\LOCALS~1\Temp\LPG.exe (file missing)
  • Close all programs except for HijackThis.
  • Click on Fix checked
  • A box will pop up asking you if you wish to fix the selected items. Please choose YES.
  • Once it has fixed them, please exit/close HijackThis.
Next

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply please provide:
  • Kaspersky report
  • New HijackThis log taken after everything else completed

Posted Image

#12 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 18 January 2009 - 06:09 PM

Tomk

Thank you for your patience.

I am still not convince all is fine.... and the more I think about it the more paranoid I'm becoming.

===============================================================================
Kaspersky Scan Report
===============================================================================
KASPERSKY ONLINE SCANNER 7 REPORT

Sunday, January 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 18, 2009 15:37:06
Records in database: 1642591


Scan settings

Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\


Scan statistics

Files scanned 93613
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 02:23:52


File name Threat name Threats count

C:\Backup\install\downloads\killprocess 2.43\KillProcessSetup.exe Infected: not-a-virus:RiskTool.Win32.PsKill.bg 1

C:\Program Files\KillProcess\KillProcess.dll Infected: not-a-virus:RiskTool.Win32.PsKill.bg 1


The selected area was scanned.


===============================================================================
HijackThis Log
===============================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44:10, on 18/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\install\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 255.255.255.255 broadcasthost
O1 - Hosts: ::1 localhost
O1 - Hosts: 216.34.181.45 s # slashdot.org
O1 - Hosts: 216.239.39.99 g # google.com
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1177238915-602162358-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S45.tmp" /EF "HKCU" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /FU "C:\WINDOWS\TEMP\E_S45.tmp" /EF "HKCU" (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191672037265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5176 bytes



===============================================================================

===============================================================================

#13 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 18 January 2009 - 07:39 PM

paultomasi,

There is no sign of malware in your logs. I don't think you're being paranoid. There may be something wrong that isn't malware related. I suggest that you pose a question in the Tech forum and see if the Tech Team can help. I would suggest the internal hardware forum here.

Log looks good :D


You need to create a new Clean restore point.
Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Remove all previous Restore Points
Click Start Menu > Run > copy and paste

cleanmgr

At top, click on More Options tab. Click Clean up... button in the System Restore box. Click on Yes button. When finished, click on Cancel button to exit.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Keep Microsoft Windows Updated - This will ensure your computer has always the latest security updates available installed on your computer. The easiest way to do this is to turn on Automatic Updates. Do this by:
  • From your desktop, right-click on My Computer,
  • click on Properties
  • Select the Automatic Updates tab
  • Click on Automatic
  • Click on Apply button
  • Click on OK to exit.
If there are new updates to install, install them immediately, until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Download and install the free version of WinPatrol - This program protects your computer in a variety of ways and will work well with your existing security software.
Winpatrol


Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.


Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:
Posted Image

#14 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 20 January 2009 - 08:35 AM

TomK

Thank you for excellent and valued expert guidance.

I have followed all your suggestions and I am satisfied this thread may close.

PaulTomasi

#15 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 20 January 2009 - 09:40 AM

paultomasi,

You are very welcome.

Glad we could help.

Good Luck and Be Well. :thumbsup:

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users