Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Backdoor.bot, Userinit Hijack (Per MBAM)


  • This topic is locked This topic is locked
11 replies to this topic

#1 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:53 PM

Posted 19 May 2009 - 05:08 PM

Hello All,

My Buddies computer has a Vundo that keeps coming back after using MBAM. MBAM also shows a Userinit Hijack and a Backdoor.bot. Still being in training, I thought it best to not try to clean the PC and post his log here.

He doesn't have the time to check back here, so I'll be following your instructions. I have some MBAM Logs if you need them. :thumbup2:





DDS (Ver_09-05-14.01) - NTFSx86
Run by William at 17:52:05.20 on Tue 05/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.43 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\a-squared Free\a2service.exe
C:\QSWSRC\AAREMOTE\INSTAL~1.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\William\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.boston.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {8756d5aa-688f-408a-b94e-d667862508e0} - c:\windows\system32\chrtvct.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
TB: {7BED0340-176B-44BC-915E-C21C1DD6F617} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {7BED0340-176B-44BC-915E-C21C1DD6F617} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [DIAGENT] c:\program files\creative\sblive\creative diagnostics 2.0\DIAGENT.EXE startup
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
uPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Filter: text/html - {c441b09f-0a12-4e6b-8223-0e584ac47864} -
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: gzkkndrd - chrtvct.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 drpevrqt;drpevrqt;c:\windows\system32\drivers\drpevrqt.sys [2001-8-18 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-12-5 217208]
R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\qswsrc\aaremote\INSTAL~1.EXE [2007-9-20 217215]
R2 mwxoqdnm;IPX Traffic Filter Helper;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090518.004\NAVENG.sys [2009-5-18 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090518.004\NAVEX15.sys [2009-5-18 876144]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-05-19 16:07 <DIR> --d----- c:\docume~1\william\applic~1\Malwarebytes
2009-05-19 16:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-19 16:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-19 16:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll

============= FINISH: 17:53:12.64 ===============

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 PM

Posted 19 May 2009 - 05:31 PM

Hi DocSatan,

Welcome to BC HijackThis forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please run DDS again and attach both the logs to your reply.
Please include in your next reply:
  • The Combofix log.
  • Both the DDS logs.
  • Any comment or feedback about how it went.


#3 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:53 PM

Posted 19 May 2009 - 08:40 PM

Hey farbar,

Thank you for your assistance! :thumbup2:

Ran CF. Upon Reboot got BSOD --> Reboot --> BSOD loop.
  • STOP: 0x000000CE (oxF91192E0, 0x00000000, 0xF91192E0, 0x00000000)
    cdr4_xp.SYS
Ended up choosing LKGC after a few loops. CF contiunued and produced a log. DDS.txt and Attach are attached.

ComboFix 09-05-19.08 - William 05/19/2009 20:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.104 [GMT -4:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\Tasks\At1.job
c:\windows\system32\chrtvct.dll . . . . failed to delete
c:\windows\system32\drivers\drpevrqt.sys . . . . failed to delete
c:\windows\system32\drivers\ryrhtsrt.sys . . . . failed to delete
c:\windows\system32\vakhude.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRPEVRQT
-------\Legacy_MWXOQDNM
-------\Service_drpevrqt
-------\Service_mwxoqdnm


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-19 23:02 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 23:02 . 2009-05-19 23:02 -------- d-----w c:\program files\Avira
2009-05-19 23:02 . 2009-05-19 23:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-19 20:07 . 2009-05-19 20:07 -------- d-----w c:\documents and settings\William\Application Data\Malwarebytes
2009-05-19 20:07 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 20:07 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 20:07 . 2009-05-19 20:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 20:07 . 2009-05-19 21:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 23:38 . 2005-05-08 16:54 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-19 21:39 . 2007-10-30 00:57 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-19 21:37 . 2007-12-05 02:48 -------- d-----w c:\program files\SpywareGuard
2009-05-19 21:34 . 2007-10-30 02:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-19 20:29 . 2007-10-30 02:21 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-13 04:02 . 2009-04-14 22:09 0 ----a-w c:\windows\Bsiqupilidarexo.bin
2009-04-16 22:13 . 2009-04-14 22:09 408 ----a-w c:\windows\Xhewi.dat
2009-03-06 14:44 . 2001-08-18 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 19:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8756D5AA-688F-408A-B94E-D667862508E0}]
2001-08-18 12:00 102400 ----a-w c:\windows\system32\chrtvct.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DIAGENT"="c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 868352]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-9-20 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzkkndrd]
2001-08-18 12:00 102400 ----a-w c:\windows\system32\chrtvct.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 drpevrqt;drpevrqt;c:\windows\system32\drivers\drpevrqt.sys [8/18/2001 8:00 AM 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 7:02 PM 108289]
R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\qswsrc\AAREMOTE\INSTAL~1.EXE [9/20/2007 7:52 PM 217215]
R2 mwxoqdnm;IEEE-1284.4 HPZid412Helper;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 8:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.boston.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2988)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\chrtvct.dll
c:\windows\system32\libssl32.dll
c:\windows\system32\LIBEAY32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\devldr32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-05-20 21:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 01:25

Pre-Run: 68,926,914,560 bytes free
Post-Run: 69,107,548,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

159 --- E O F --- 2009-05-19 22:28

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 PM

Posted 20 May 2009 - 08:00 AM

Well done and thanks for the feedback DocSatan. :thumbup2:

Note 1. You mentioned Backdoor and I did not give the Backdoor warning assuming you already know the implications and you have chosen not to reformat.

Note 2. If the driver (cdr4_xp.SYS) gave you a BSOD again, you may uninstall the following program and install it again after we are done:

Easy CD & DVD Creator 6
  • I see you went ahead and removed Symantec as I don't see it on the log any more. We had to do this anyway and you did the right thing. I know you are able to handle the logs, however I want to request you not to jump ahead of me and let do this together. Please tell me if you removed it via Add/Remove Programs.

  • I see on the log a reference to not having administration rights. It is probably the work of malware, but I ask it to make sure. Do you log in as a user with administrative rights?

  • Before going to go for full and deep scans lets try ComboFix once more to see if it can remove at least some of the files it could not remove.
    First delete your copy of combofix and download a fresh ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    KillAll::
    Rootkit::
    c:\windows\Bsiqupilidarexo.bin
    c:\windows\Xhewi.dat
    c:\windows\system32\vakhude.dll
    c:\windows\system32\chrtvct.dll 
    c:\windows\system32\drivers\ryrhtsrt.sys 
    driver::
    mwxoqdnm
    drpevrqt
    ryrhtsrt
    NetSvc::
    mwxoqdnm
    DDS::
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    Notify: gzkkndrd - chrtvct.dll
    BHO: : {8756d5aa-688f-408a-b94e-d667862508e0} - c:\windows\system32\chrtvct.dll
    AtJob::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • First update MBAM, then using F8 key go to Safe Mode. run a quick scan and let remove what it finds. when it requires a reboot boot to normal mode and post the log it creates. If it didn't opened the log you can find it under Logs tab.
Please include in your next reply:
  • The Combofix log.
  • The log of MBAM.
  • Any comment or feedback about how it went. Also tell me how you removed symantec.


#5 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:53 PM

Posted 20 May 2009 - 10:52 AM

Hey farbar,

Sorry about the steps I had taken regarding symantec, etc. :)
  • It was removed via Add/Remove Programs
After I had posted the initial DDS Log I noticed that the Symantec wasn't updated so decided to install Avira. I figured that I would have been able to make these changes and then edit the initial post with the new DDS Log. When I went to post the new DDS Log I already had a reply from you...my plan was foiled. :)

So I will be following your instructions, and not trying to do anything in between. :thumbup2:

Regarding the Backdoor, I told my buddy not to visit financial institutions on this computer and warned about the passwords, acct #'s, etc. being possibly stolen. I wasn't 100% sure if this Backdoor was one that would require the Reformat Speech (I didn't research it), so was going to wait for your advice.

Do you think that my friend should make the calls to his financial institutions due to this Backdoor? If so, I'll give him the option to reformat. I'm at work right now and won't see him for about 7hrs.

Sorry for the confusion.

Doc.

Edited by DocSatan, 20 May 2009 - 10:53 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 PM

Posted 20 May 2009 - 11:41 AM

Hi DocSatan,

No worries about the changes made it was a good decision anyway. About the Backdoor this what your friend requires to know:

"One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please follow the steps already posted"

+++++++++++++++++

Uninstalling Norton from Add/Remove programs often leaves leftovers which at time might interfere with system performance. If your friend decided to proceed with cleaning, before doing the fixes I have posted please download and run the Norton Removal Tool.

Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

#7 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:53 PM

Posted 20 May 2009 - 08:43 PM

Hey farbar,

My friend has decided to clean the computer and then reformat. Reason being is that he doesn't want to infect the USB Drive that he is going to use (mine :thumbup2: )to save his files/documents. Not sure if this is necessay or not, so your input would be greatly appreciated.

I am using an account with Administrator rights.

I went ahead and performed your instructions anyway.

1. Ran Norton Removal
2. Uninstalled Roxio via Add/Remove
3. Deleted Old CF and downloaded new one
4. Ran CFScript
  • When CF rebooted the computer I received the following System Error:
    • Lsass.exe - System Error
      The Endpoint Format is Invalid
  • I clicked on "OK" in the error box/window and the computer booted normally. CF finished and produced the log
5. Updated MBAM, Quick Scan in Safe Mode
  • The User account that I have been using (William) was not listed in safe mode. I used the account called "Administrator" to run the MBAM scan, which found nothing.
  • Also, I am unable to locate the log that was produced, as it is not in the Log tab when I reboot normally and log in to "William" user.
6. Booted normally

CF Log


ComboFix 09-05-20.09 - William 05/20/2009 20:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.62 [GMT -4:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\drpevrqt.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRPEVRQT
-------\Legacy_MWXOQDNM
-------\Service_drpevrqt
-------\Service_mwxoqdnm


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-20 23:51 . 2009-05-20 23:51 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-19 23:02 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 23:02 . 2009-05-19 23:02 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-19 23:02 . 2009-05-19 23:02 -------- d-----w c:\program files\Avira
2009-05-19 20:07 . 2009-05-19 20:07 -------- d-----w c:\documents and settings\William\Application Data\Malwarebytes
2009-05-19 20:07 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 20:07 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 20:07 . 2009-05-19 20:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 20:07 . 2009-05-19 21:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 00:10 . 2005-05-08 22:37 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-05-19 21:39 . 2007-10-30 00:57 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-19 21:37 . 2007-12-05 02:48 -------- d-----w c:\program files\SpywareGuard
2009-05-19 21:34 . 2007-10-30 02:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-19 20:29 . 2007-10-30 02:21 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-13 04:02 . 2009-04-14 22:09 0 ----a-w c:\windows\Bsiqupilidarexo.bin
2009-04-16 22:13 . 2009-04-14 22:09 408 ----a-w c:\windows\Xhewi.dat
2009-03-06 14:44 . 2001-08-18 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 19:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-20_01.20.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-18 12:00 . 2001-08-18 12:00 50944 c:\windows\system32\mifjqxip.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DIAGENT"="c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-9-20 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 32256]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 7:02 PM 108289]
R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\qswsrc\AAREMOTE\INSTAL~1.EXE [9/20/2007 7:52 PM 217215]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.boston.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3920)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\devldr32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-05-21 20:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 00:43
ComboFix2.txt 2009-05-20 01:25

Pre-Run: 69,119,369,216 bytes free
Post-Run: 69,147,414,528 bytes free

138 --- E O F --- 2009-05-19 22:28




Doc.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 PM

Posted 21 May 2009 - 05:34 AM

Hi Doc,

You did an excellent job, thanks also for the detailed feedback. Please remove the following leftovers:

c:\windows\Bsiqupilidarexo.bin
c:\windows\Xhewi.dat
c:\windows\system32\mifjqxip.dat

There was no flash drive virus on the system and backing up was no problem. However we cleaned the system and there seems no active malware on the system.

It seems pretty safe now to use the computer. If your friend decides to use the computer do the following otherwise disregard it:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#9 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:53 PM

Posted 22 May 2009 - 03:58 PM

Hey farbar,

When you say the computer seems pretty safe to use...do you mean to use normally, or to use my usb drive to save file before reformat?

Deleted those files ok.

Here's the the Kaspersky Report:

Friday, May 22, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 22, 2009 17:07:32
Records in database: 2218315


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 44640
Threat name 3
Infected objects 3
Suspicious objects 1
Duration of the scan 02:02:53

File name Threat name Threats count
C:\Documents and Settings\William\Local Settings\Application Data\Identities\{72DC04D3-5814-440E-8318-AFBD82C52DD5}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Documents and Settings\William\Local Settings\Application Data\Identities\{72DC04D3-5814-440E-8318-AFBD82C52DD5}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Infected: Email-Worm.Win32.Klez.h 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\drpevrqt.sys.vir Infected: Trojan.Win32.BHO.ext 1

C:\System Volume Information\_restore{6583E451-BE77-4808-AE80-9129FDC1A535}\RP1\A0000003.sys Infected: Trojan.Win32.BHO.ext 1

The selected area was scanned.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 PM

Posted 22 May 2009 - 04:16 PM

Doc,

I mean to use the computer normally as it was always safe to use a USB drive to back up data.

Aside from one infected file in the Combofix quarantine folder and one in the System Volume Information (which we flush at the end) KOS found nothing but a couple of e-mails in the Outlook Inbox folder.

Please empty the Outlook Inbox, specially those with attachments.

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations:
  • The log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:
    Sunbelt-Kerio
    Online Armor Free edition

  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    You can update by going to start > All Programs > Windows update > click on Custom button.

    Note: Download Service Pack 3 but before installing it disable your antivirus real-time protection.

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacoolsİ SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.

Do you have any comment or question?

#11 DocSatan

DocSatan

    Bleepin' Wanna-Be

  • Topic Starter

  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:53 PM

Posted 26 May 2009 - 04:29 PM

Thanks farbar! :)

My buddy has uninstalled CF. He's gonna be a while deleting his Outlook though, he has over 400 in his inbox. I told him to delete them all, but he says he has some that he wants to keep. Told him to delete at least the ones with attachments, so we'll see.

I'll be upgrading/updating the rest of his programs, already has SP3 and Comodo firewall.

Thanks again for your guidance and instruction. :thumbup2:

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 PM

Posted 26 May 2009 - 04:52 PM

You are most welcome DocSatan.

Should he needs any further guidance please let me know.

This thread will now be closed as the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users