Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Next step: HJT log for system problems


  • This topic is locked This topic is locked
16 replies to this topic

#1 rleem

rleem

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 28 January 2009 - 11:29 PM

Hello~

I was directed to this forum to post a HJT log for my issues in eradicating the problems from an attack by rogue anti-spyware and other suspected bad, lurking things (including a sudden problem with PrcViewer). Referred here from: http://www.bleepingcomputer.com/forums/t/198357/infected-with-system-security-rogue-anti-spyware/ ~ OB Here is that log. Thanks for your time, and the Help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:57, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Login
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16314
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {91D4B4D5-E368-40AB-8F53-A37FA634B471} (Installer9Ctrl Class) - http://h36.e-tmm.com/bin/tol9inst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10865 bytes


Much obliged for your expertise. :-)

Edited by Orange Blossom, 01 February 2009 - 02:19 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 February 2009 - 02:29 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTScanIt

Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Please post back with:
-OTScanIT log
-GMER Log
-Kaspersky log
-What Problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 07 February 2009 - 08:35 PM

Hello EB!

Thank you so much for helping me out with this.

I am a little confused from your post and would like to clarify something: at first, the instructions specify not to install programs or run fix tools but as I read down the post, there are instructions to download and run ATF Cleaner and more.... I'm not sure of the proper order of things and how/what you would like to receive initially. Please advise.

Here is a brief history of my problem and what I have tried to fix it with the help from "boopme" (BC adviser):

Problem:

Sudden invasion of rogue anti-spyware/malware popping up fake Windows security virus scans and warning windows. I found advice on using Malwarebyte's Anti-Malware to clear this mess and did a quick scan with the anti-malware which located a bunch of junk, I followed the instructions on removing it, rebooted the computer and did a couple more thorough scans using my own virus-protection program (McAfee) and Malwarebyte program. All the crazy pop-ups were gone but then I noticed a few quirks: "clicking" sounds in the background as if processes are being activated/accessed (?) and random Internet Explorer windows popping up out of nowhere (I primarily use Mozilla Firefox for browser) with an error message along the lines of "page is not accessible" or "page is disabled". Evil stuff was still lurking.

Initial attempts to fix problem (after posting to forum on BC):

1. Advised to download and run SuperAntiSpyWare, scanning for tracking cookies only first;
then download and run ATF Cleaner in safe mode;
then run SuperAntiSpyware for complete scan, quarantine bad stuff (more found), reboot, post log;
then re-run Malwarebyte's Anti-Malware program, remove bad stuff (more but fewer found), reboot, post log

2. Advised to download and run SmitFraudFix after still suspecting above efforts did not clean computer as thoroughly as needed, posted log

3. Notified that "baddies" were found based on the information from this log and advised to clean the registry using SmitFraudFix in safe mode; followed by download and run of SDFix with instructions; posted log. Results of which were unclear as seemingly new problem appeared: McAfee locating and blocking "PrcViewer" (suspected result of downloading SmitFraudFix but not completely sure).

4. Attempt to remove PrcViewer did not work by following boopme's instructions to make a change to the registry and download a vbs file from Kelly's Korner.

5. Advised to update Java, remove old versions and install newest. Done.

6. Lastly, advised to run HijackThis and post log to forum for further scrutiny. And here we are!

From point "3" on is where things became really unclear for me as to what was potentially "bad" that was read on the SmitFraudFix and SDFix logs and I don't feel that we were able to fix or locate the problem boopme detected after this point.

I have had my computer on and connected to the internet intermittently the last couple of weeks waiting for the additional help and am aware only of McAfee's scheduled updates that have occurred insofar as changes to the machine goes.

I'd be happy to send you a more current HijackThis log or whatever pertinent information you request at this time to move forward. Sorry for the lengthy description in this post but I'm thrilled you are here to help!

Thanks again!

r

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 February 2009 - 08:49 PM

Hello again.

at first, the instructions specify not to install programs or run fix tools but as I read down the post, there are instructions to download and run ATF Cleaner and more.... I'm not sure of the proper order of things and how/what you would like to receive initially. Please advise.

That means for you. Once we begin fixing do not install any programs or fix things on your own. When I tell you to download tools/install tools then that's fine obviously... Otherwise how do you think we will fix your machine???

From point "3" on is where things became really unclear for me as to what was potentially "bad" that was read on the SmitFraudFix and SDFix logs and I don't feel that we were able to fix or locate the problem boopme detected after this point.

Those are false-positives. SDfix and Smitfraudfix are sometimes flagged by security programs because the tools they use sometimes are considered a "fraud/risk-tool".

I'd be happy to send you a more current HijackThis log or whatever pertinent information you request at this time to move forward. Sorry for the lengthy description in this post but I'm thrilled you are here to help!

I will be looking forward to helping you as well.

Please post the logs I requested and we will begin.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 07 February 2009 - 10:39 PM

Hi again EB,

Thanks for the clarification. I've begun the process of getting the logs you requested and have run into a glitch, maybe you can tell me what happened.

After running ATF Cleaner I proceeded to download and run OTScanIT. The scan completed and I have the OTScanIT.txt report but when I returned to the forum to attach the document, the BleepingComputer window I had open with this thread is suddenly modified. It appears to be a more simplified version, and does not give me an option to attach anything. I've tried refreshing, closing the browser and opening a new one (using Mozilla Firefox) but no good. When I go to certain other websites in my favorites, images I know should be there is now missing, but other websites and their images remain intact.

I'm not sure if I screwed something up with ATF Cleaner? pretty sure I ran it as directed. Not sure how to get you this log at this point....

yikes!

(thanks)

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 February 2009 - 11:02 PM

Hello.

Upload all 3 to Media fire then...

Upload File to MediaFire
Please upload the files using MediaFire one at a time
  • Go to Media Fire
  • Click the Large Green button that says UPLOAD FILE TO MEDIAFIRE
  • When asked do you have a MediaFire account please select: I want to upload without an account
  • A Browser window shall then appear
  • Navigate to the log you want to send to me and click on the file to highlight it.
  • Then select Open
  • Another page shall appear, after it finish loading please select the big green button that says: START UPLOAD
  • Follow any prompts after that to finish the upload process
  • When the Upload is complete, under the Sharing URL: please copy and paste that link in your next reply so I can download and see it.
Repeat the steps again to upload all 3 logs

Tell me how it goes and post the sharing URL for all 3 logs in your next reply. It's late for me now, need to go to bed.

You can post the Kaspersky log if it's not too big. Upload GMER and OTScanIT2 logs though.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 08 February 2009 - 04:24 AM

Thanks Extremeboy,

Whew...long night. here is the url for those 3 logs. hope it's working to access

http://www.mediafire.com/?sharekey=e5ca668...04e75f6e8ebb871

Computer Status: the Kaspersky scan seemed to yield nothing. When it was through, I enabled my virus scan and firewall protection with McAfee before getting each log saved through MediaFire. The only two sites I was visiting through Firefox were Bleeping Computer (to post here) and MediaFire when out of nowhere, a voice begins by congratulating me for being selected to win a Nintendo Wii. (voice ad only, no pop up window anywhere to be seen). Not something I encountered much at all with Firefox and was quite an unexpected surprise at 2am while working to fix getting this stuff not to happen! I didn't notice anywhere on either site that I could have triggered this unsolicited advertisement and worry that I've still got problems or wonder if I have more/new problems after having the protection disabled for the 1.5 hours or so while the scan was in progress. ? The change to Bleeping Computer's site appearance mentioned in the last post on my browser is also still in effect.

This morning's amendment:
- seems to be running a little slower, but maybe that's my imagination;
- visited a couple of other trusted sites and still have strange new problem of missing images and modified page format (BC's symptom, although it appears that when I closer the browser and re-enter, it index page looks as intended but it's not until I navigate to the Forums page using the main banner link across the top that things start changing;
- the McAfee warning windows notifying me of the PrcViewer as an unwanted program have suddenly stopped after running these latest scan tools. Before I could expect them to appear every other hour at least and I would repeatedly ignore the warning; now, nothing since 2am... maybe a good sign, or just maybe an 'okay' sign?

Anyway, I hope these logs help you to help me! Looking forward to your advice when you are next able.

r

Edited by rleem, 08 February 2009 - 11:55 AM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 08 February 2009 - 02:08 PM

Hello.

McAfee not detecting PCViewer anymore is a good sign. It didn't seem it existed at all though. I do not see that program installed anywhere.

The change to Bleeping Computer's site appearance mentioned in the last post on my browser is also still in effect.

Could you provide a screenshot of it or an attachment so I can see what the problem looks like please.

Run Script with OTScanIT2

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files if you lost your copy..
It will create a folder named OTScanIt2 on your desktop. Double click the OTScanIT2 folder than double click on OTScanIT2.exe to star the program.

Copy/Paste the information in the codebox below into the green pane where it says "Paste fix here" and then click the Run Fix button at the top.

[Kill Explorer]
[Registry - Safe List]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2324587690-1688835698-2780135033-1005\] > -> HKEY_USERS\S-1-5-21-2324587690-1688835698-2780135033-1005\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> WgaLogon -> 
[Files/Folders - Modified Within 30 Days]
NY -> tmp.reg -> %SystemRoot%\System32\tmp.reg
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\catchme.log:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\My Documents\Thumbs.db:encryptable
NY -> @Alternate Data Stream - 88 bytes -> %UserProfile%\Desktop\catchme.log:SummaryInformation
[Empty Temp Folders]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Just a FYI. The GMER log and Kaseprsky was clean. THe OTscanIT log also is somwhat okay, still a bit of work to do though.

Re-Run Scan with OTScanIT2

Run a new OTScanIt2 scan with the following options.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS that you have opened currently.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located (Should be in the OTScanIT2 folder)
  • Attach that file back here in your next reply.
Attach/Upload back with:
-OTScanIT Fix log
-OTScanIT Scan log
-A screenshot of the problem you have when viewing certain sites.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 08 February 2009 - 05:17 PM

Hi again,

Here are the two newest logs attached.

Also, the website issue I was having earlier seems to have cleared up. I'm now able to use the BleepingComputer site as normal and attach these. The other sites have their images back now too and are operating normally. After this latest reboot, Firefox apparently snuck in an update so I am now browsing with the latest (not sure if that has something to do with it?)

Thanks!!

R

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 08 February 2009 - 05:47 PM

Hello.

Great! That's good news. Let's run an online scan, now that everything looks fine.

Just anaylzed the OTScanIT log. All looks good now. Please run ESET- Online scan please

Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Post back wih:
-Eset online scan log

Attach back with:
-New OTScanIT2 log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 08 February 2009 - 06:16 PM

Hi

Well, I can't seem to get the ESET online scan to work.

-- I tried at first to use my open browser Firefox, but got a message after clicking "yes" to the terms of use that my browser is not supported.
-- I then opened up Internet Explorer (I haven't used in a couple of weeks) and discovered some errors: my home page for IE read correctly in the address bar, but the site window said something like "page not found". I navigated to BC and this thread to get to your link but IE would not open up the link to ESET from the post. I then manually typed the address (www.eset.com/onlinescan/) in the address bar and was able to get to the site, click "yes" to the terms of use, but the "start" button was not activated. I clicked on it anyway and was sent to another page that says "get a free online virus scan" with a reduced message box listing horizontally the default links (scanner/more details/system requirements/help/faq) but nothing happens.

Hmm... need a bit more help on getting this to run.

thanks a bunch

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 08 February 2009 - 06:27 PM

Hello.

Do a f-secure scan then, if that still doesn't work try the Kaspersky again..

F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
Post back with:
-F-Secure scan log/Kaspersky scan log
-New pair of DDS logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 08 February 2009 - 08:07 PM

Howdy,

-- I managed to get the F-Secure scan to work and have that report here. Also did a new OTScanIt scan and have attached the new log (also attached the .html report just in case).

-- Wasn't sure what you meant by "a new pair of DDS logs" at the end of your last post. Forgive my ignorance in your reference for this type of log if I missed something down the line. Please clarify.

Post back with:
-F-Secure scan log/Kaspersky scan log
-New pair of DDS logs



I feel like things are on the upswing! almost back to normal perhaps? looking forward to your reply.

thanks again!

***

Scanning Report
Sunday, February 08, 2009 17:00:47 - 17:51:33

Computer name: RLMERCER
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 2 malware found
TrackingCookie.2o7 (spyware)

* System

W32/Zlob.gen123 (virus)

* C:\DOCUMENTS AND SETTINGS\RHIANNON\DESKTOP\SMITFRAUDFIX\AGENT.OMZ.FIX.EXE (Submitted)

Statistics
Scanned:

* Files: 41567
* System: 3882
* Not scanned: 18

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCAFEE_THCCXNK3JDZREMS
* C:\WINDOWS\TEMP\MCMSC_9ZHPEHPF0LUHKQR
* C:\WINDOWS\TEMP\MCMSC_BIPGTUCHTPYTGKI
* C:\WINDOWS\TEMP\MCMSC_EPAMYADMKVQE3EF
* C:\WINDOWS\TEMP\MCMSC_EQBEZWYWYOKHQFW
* C:\WINDOWS\TEMP\SQLITE_8KZCA8RGPBAFF3I
* C:\WINDOWS\TEMP\SQLITE_BS9AZGC7UWW0NGH
* C:\WINDOWS\TEMP\SQLITE_CY0OKYEIQTKLEZH
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\RHIANNON\LOCAL SETTINGS\TEMP\SQLITE_MPBBGBLGS1HYOGN
* C:\DOCUMENTS AND SETTINGS\RHIANNON\LOCAL SETTINGS\TEMP\SQLITE_QENVKHSJ6TSOWLR
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_24ADF822-76F7-4481-B30B-FF1B40F8687F

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-08
* F-Secure AVP: 7.0.171, 2009-02-08
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 08 February 2009 - 09:19 PM

Hello.

F-Secure log is clean.

Wasn't sure what you meant by "a new pair of DDS logs" at the end of your last post.

Don't worry about that, it is a tool that is similar to Hijackthis. You should of ran that tool if you followed the guide.. Anyways, I don't really need it. OTScanIT log is what I need right now.

And the OTScanIT logs looks............ Clean as well. :step5:

Let's wrap up and cleanup or mess..



Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :)

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Uninstall GMER
We will now remove GMER.
  • Go to Start ---> Run ----> In the Open Field type in: C:\WINDOWS\gmer_uninstall.cmd
  • Now Click Ok
  • This shall uninstall GMER and everything related to it.
Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
You may delete the tool after use.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Increase System Performance

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 rleem

rleem
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 08 February 2009 - 10:57 PM

Extremeboy,

Excellent, Awesome, Amazing! Thanks SO much for your help! Everything seems great now. I'm going to continue through all the advice and links in your last post to make sure I minimize risk to infection/invasion and enhance computer performance.

I'm so THRILLED! I can work again, yay!!

Have an outstanding evening and thanks again!

r




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users