Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My browser searches get redirected (IE, Fox, Opera)


  • Please log in to reply
9 replies to this topic

#1 shamis

shamis

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 24 June 2009 - 08:49 PM

I use firefox and a couple of days ago when I would click on a search results, it would redirect me to a random site. This happens with Internet explorer and Opera as well. I started paying close attention to the bottom left of my screen (where it gives you the status like waiting, connecting, IP address, ect) and see overclick.cn seems to be the problem.

From a bit of research online I installed and ran malwarebytes, spybot search and destroy, ad-adware. I also have the paid AVG. I have ran all of these but the problem still exists.

I don't know what this is but if someone could please help me figure it out I would appreciate it.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Shamis at 19:22:27.13 on Wed 06/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.265 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Shamis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.insightbb.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearch Bar = hxxp://www.google.com/ie
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [msiexec.exe] msiconf.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqRJARL
LSA: Notification Packages = c:\windows\system32\redivipo.dll c:\windows\system32\yefapuza.dll c:\windows\system32\wohubevu.dll scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shamis\applic~1\mozilla\firefox\profiles\uu0hdb9t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-16 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-16 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-16 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-16 298776]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-06-22 04:14 <DIR> --dsh--- c:\documents and settings\shamis\IECompatCache
2009-06-22 04:13 <DIR> --dsh--- c:\documents and settings\shamis\PrivacIE
2009-06-22 04:12 <DIR> --dsh--- c:\documents and settings\shamis\IETldCache
2009-06-22 04:09 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-22 04:09 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-22 04:09 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 04:09 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-22 04:09 <DIR> --d----- c:\windows\ie8updates
2009-06-22 04:09 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-22 04:07 <DIR> -cd-h--- c:\windows\ie8
2009-06-19 01:01 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-19 01:01 1,409 a------- c:\windows\QTFont.for
2009-06-10 16:14 <DIR> --d----- c:\program files\Sony
2009-06-08 13:18 <DIR> --d----- c:\docume~1\shamis\applic~1\Any Video Converter
2009-06-08 13:18 <DIR> --d----- c:\program files\Any Video Converter
2009-06-08 12:52 <DIR> --d----- c:\program files\VideoLAN
2009-06-07 12:44 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 09:13 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 12:25 114,688 a------- c:\windows\system32\wmatimer.dll
2009-06-08 12:25 114,688 a------- c:\windows\system32\msvos.dll
2009-06-07 12:43 499,712 a------- c:\windows\system32\msvcp71.dll
2009-06-07 12:43 348,160 a------- c:\windows\system32\msvcr71.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-30 09:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-30 09:26 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-30 09:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-03 20:25 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-03 18:57 23,392 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 19:25:20.91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:02 AM

Posted 28 June 2009 - 06:57 AM

hi shamis,

Sorry for delay, no shortage of posters. log is several days old. if you still need help reply to my post and we will get some downloads to use.

How Can I Reduce My Risk to Malware?


#3 shamis

shamis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 28 June 2009 - 09:22 AM

hi shamis,

Sorry for delay, no shortage of posters. log is several days old. if you still need help reply to my post and we will get some downloads to use.


Hi shelf life,

Thank you so much for responding. No prob about the delay, I read that you guys are volunteers and it may take a few days so I just been hanging out but just in case no one has told you guys lately, I appreciate you!

Nevertheless, I still need help. I haven't done anything since I posted this log beside my regular scheduled AVG scans. Just let me know what to do.

Thanks again,
Shamis

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:02 AM

Posted 28 June 2009 - 05:04 PM

ok. here we go. We will use combofix first. There is a guide to read first. Not a lot of reading, lots of pictures. Read the guide, download combofix to your desktop, disable your AV and anti-malware as explained in the guide. Double click the icon on your desktop and follow the prompts. post the log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 shamis

shamis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 30 June 2009 - 08:59 PM

Ok here is what I got below. But before combofix began it's stages, a pop up window displayed that there was some rootkit activity and needs to reboot. It asked me to write down the listed folders, I wrote them down as well but they are the 5 folders with the SKYNet extension in the "Other Deletions" list below

Combofix log:


ComboFix 09-06-29.07 - Shamis 06/30/2009 21:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.860 [GMT -4:00]
Running from: c:\documents and settings\Shamis\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\ajehekuy.ini
c:\windows\system32\akisonep.ini
c:\windows\system32\alaniwip.ini
c:\windows\system32\drivers\SKYNETnlqtqlht.sys
c:\windows\system32\esodohuy.ini
c:\windows\system32\evazipor.ini
c:\windows\system32\mfc45.dll
c:\windows\system32\ofatazig.ini
c:\windows\system32\otofetow.ini
c:\windows\system32\SKYNETeosidyox.dat
c:\windows\system32\SKYNETkalstoqo.dll
c:\windows\system32\SKYNETubrpykmp.dll
c:\windows\system32\SKYNETuuxgxenk.dat
c:\windows\system32\uvavifor.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETfmylnvtr


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-22 08:15 . 2009-06-22 08:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-22 08:14 . 2009-06-22 08:14 -------- d-sh--w- c:\documents and settings\Shamis\IECompatCache
2009-06-22 08:13 . 2009-06-22 08:13 -------- d-sh--w- c:\documents and settings\Shamis\PrivacIE
2009-06-22 08:12 . 2009-06-22 08:12 -------- d-sh--w- c:\documents and settings\Shamis\IETldCache
2009-06-22 08:12 . 2009-06-22 08:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-22 08:09 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-22 08:09 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-22 08:09 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-22 08:09 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 08:09 . 2009-06-22 08:09 -------- d-----w- c:\windows\ie8updates
2009-06-22 08:09 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-22 08:07 . 2009-06-22 08:08 -------- dc-h--w- c:\windows\ie8
2009-06-20 12:31 . 2009-06-17 12:17 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 12:17 . 2009-06-09 13:12 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 12:17 . 2009-06-09 13:12 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 12:17 . 2009-06-09 13:12 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-16 18:23 . 2009-06-16 18:23 -------- d-----w- c:\documents and settings\Shamis\Local Settings\Application Data\Opera
2009-06-16 18:23 . 2009-06-16 18:23 -------- d-----w- c:\program files\Opera
2009-06-15 16:17 . 2009-06-15 16:17 390664 ----a-w- c:\documents and settings\Shamis\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-10 20:14 . 2009-06-10 20:14 -------- d-----w- c:\program files\Sony
2009-06-10 19:17 . 2009-06-10 19:17 -------- d-----w- c:\documents and settings\Shamis\Application Data\Publish Providers
2009-06-10 19:11 . 2009-06-10 19:16 -------- d-----w- c:\documents and settings\Shamis\Application Data\Sony
2009-06-10 19:11 . 2009-06-10 19:11 -------- d-----w- c:\documents and settings\Shamis\Local Settings\Application Data\Sony
2009-06-10 18:58 . 2009-06-10 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-06-09 20:20 . 2009-06-22 08:13 -------- d-----w- c:\documents and settings\Shamis\Local Settings\Application Data\Google
2009-06-09 13:12 . 2009-06-09 13:12 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-08 17:18 . 2009-06-08 18:02 -------- d-----w- c:\documents and settings\Shamis\Application Data\Any Video Converter
2009-06-08 17:18 . 2009-06-08 17:18 -------- d-----w- c:\program files\Any Video Converter
2009-06-08 16:52 . 2009-06-08 18:27 -------- d-----w- c:\program files\VideoLAN
2009-06-07 16:44 . 2009-06-07 16:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-07 16:37 . 2009-06-07 16:39 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 08:49 . 2008-10-09 15:57 -------- d-----w- c:\documents and settings\Shamis\Application Data\ZoomBrowser EX
2009-06-30 08:47 . 2008-10-09 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-06-22 04:07 . 2009-01-21 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 04:06 . 2009-01-21 17:40 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-21 13:00 . 2009-01-14 20:55 36 ---ha-w- c:\windows\system32\f9t.dat
2009-06-21 01:33 . 2008-01-11 23:36 -------- d-----w- c:\documents and settings\Shamis\Application Data\FileZilla
2009-06-17 15:27 . 2009-01-21 17:40 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-21 17:40 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 12:17 . 2009-01-16 20:13 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-09 13:13 . 2009-01-16 20:13 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 16:25 . 2009-01-14 21:25 114688 ----a-w- c:\windows\system32\wmatimer.dll
2009-06-08 16:25 . 2009-01-14 20:56 114688 ----a-w- c:\windows\system32\msvos.dll
2009-06-07 16:44 . 2008-01-10 01:51 -------- d-----w- c:\program files\Common Files\Real
2009-06-07 16:43 . 2009-01-14 20:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-07 16:43 . 2009-01-14 20:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-06-04 10:49 . 2008-01-10 04:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-04 10:46 . 2009-04-10 04:02 -------- d-----w- c:\program files\Palm
2009-06-04 02:28 . 2009-01-21 15:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 12:54 . 2008-02-02 04:31 -------- d-----w- c:\documents and settings\Shamis\Application Data\LimeWire
2009-05-13 05:15 . 2008-01-26 05:57 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-01-26 05:57 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 13:26 . 2009-01-16 20:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-30 13:26 . 2009-01-16 20:13 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-30 13:25 . 2009-01-16 20:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 12:26 . 2008-01-25 23:20 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-01-26 05:57 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-04 00:25 . 2008-01-10 00:45 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-03 22:57 . 2009-01-14 20:55 23392 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-01-26 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-07 39408]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-04-22 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-07 198160]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-30 13:26 11952 ----a-w- c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shamis^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [1/16/2009 4:13 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/16/2009 4:13 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/16/2009 4:13 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/16/2009 4:13 PM 298776]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.insightbb.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Shamis\Application Data\Mozilla\Firefox\Profiles\uu0hdb9t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 21:34
Windows 5.1.2600 Service Pack 3, v.5755 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\wufefudi.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\searchindexer.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\System32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-01 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 01:46

Pre-Run: 90,377,007,104 bytes free
Post-Run: 90,426,130,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

249 --- E O F --- 2009-06-22 08:10

#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:02 AM

Posted 01 July 2009 - 08:24 PM

ok good. Check malwarebytes for updates and do a full scan with it and post the log:

Once the program has loaded, check for updates then select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

We will get one more download to use also, its in beta, if it gives you any problems just delete it off your desktop;

Please download: RootRepeal

http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

How Can I Reduce My Risk to Malware?


#7 shamis

shamis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 02 July 2009 - 05:55 PM

Wow this is a process, lol. Nevertheless I here are the files you requested. Oh FYI, after the combofix my browsers don't redirect anymore. I know the rest of this process is necessary, but I wanted to tell you just in case you needed to know that.


Malware Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2360
Windows 5.1.2600 Service Pack 3, v.5755

7/2/2009 2:57:37 AM
mbam-log-2009-07-02 (02-57-37).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 274577
Time elapsed: 1 hour(s), 59 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





RootRepeal Log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/02 03:11
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6C26000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB4A83000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_21c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\shamis\local settings\temp\etilqs_dsamfrfhbdwphrqzupnx
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Shamis\Application Data\Macromedia\Flash Player\#SharedObjects\H75K99S3\www.nick.com.\ReefFighterSaveGame.sol
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Shamis\Application Data\Macromedia\Flash Player\#SharedObjects\H75K99S3\www.nick.com.\soNICK_SpongeBob_LavaInvader.sol
Status: Locked to the Windows API!

Path: c:\documents and settings\shamis\application data\macromedia\flash player\#sharedobjects\h75k99s3\www.nick.com.\[[import]]\media.mtvnservices.com\player\release\metadatahistory.sol
Status: Allocation size mismatch (API: 8192, Raw: 56)

Path: c:\documents and settings\shamis\application data\macromedia\flash player\#sharedobjects\h75k99s3\www.nick.com.\[[import]]\media.mtvnservices.com\player\release\playercounter.sol
Status: Allocation size mismatch (API: 264, Raw: 232)

Path: c:\documents and settings\shamis\application data\macromedia\flash player\#sharedobjects\h75k99s3\www.nick.com.\[[import]]\media.mtvnservices.com\player\release\userprefs.sol
Status: Allocation size mismatch (API: 432, Raw: 440)

==EOF==

#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:02 AM

Posted 02 July 2009 - 07:24 PM

ok good. Looks like combofix took care of the rootkit. You can keep malwarebytes and use it as a anti-malware solution. always check for updates before doing a scan. You can delete combofix:

go to start>run and type in:
combofix /u
click ok or enter
note: there is a space after the x and before the /

You can also delete the rootrepeal icon off your desktop.

you can make a new restore point, the how and why:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.


3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

Some tips for you:


The Short Version
In no special order:

10 Tips for Reducing Your Risk To Malware:
The Short Version
In no special order:

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.
Happy Safe Surfing.



--------------------------------------------------------------

Edited by shelf life, 07 July 2009 - 07:48 PM.

How Can I Reduce My Risk to Malware?


#9 shamis

shamis
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 07 July 2009 - 11:46 AM

Thank you so much shelf life. I really appreciate your assistance.

Quick question. I am in the process of completing some of the steps you listed. Can you tell me or link me to how I can access my folders & programs under admin while using a limited account on my pc? Everything I need is basically under my administrator account (my documents, adobe programs, ect) and when I am logged into the limited account, I can't access it.

Thanks
Shamis

#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:02 AM

Posted 07 July 2009 - 07:46 PM

hi shamis,

hey, your welcome. I dont think you can view them under a limited account. Xp Pro does have a group policy editor that i believe can be modified to give a LUA account more privileges, I have never used it myself. If you have fast user switching enabled you can move between your admin account and your LUA. Some links:

http://blogs.msdn.com/aaron_margosis/archi.../17/158806.aspx

http://www.microsoft.com/windowsxp/using/a...rswitching.mspx

http://articles.techrepublic.com.com/5100-...11-5068206.html

http://support.microsoft.com/kb/307882

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users