Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with windowsclick.com and maybe others


  • This topic is locked This topic is locked
17 replies to this topic

#1 ArthurEngland

ArthurEngland

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 29 August 2009 - 06:15 AM

Hi guys...gateway laptop got infected a while back...tried all the best rated remedies i could find..eventually admitted defeat and reinstalled XP...(hard drive divided into C drive and backup partition D drive..)

After new installation installed AVG 8.5 and spyware doctor (free version) but still getting browsers hijacked(firefox and IE) by windowsclick.com and suspect may be other infection(s) as well?...spyware doctor reports a variety of trojans and other stuff i dont understand..claims to have fixed them but if i run another spyware doctor scan immediately it still shows infection..also confused as whether s.doctor and/or AVG8.5 scans should be run in safe mode..

have followed all steps in your guide ...should i have instucted rootrepeal to scan recovery partition designated D drive as well as main partition designated driveC? hoping you can help me..thanks in advance Arthur in England...(not scotland!!)

scan reports with specified attachments follow:



DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 11:27:52.25 on 29/08/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.115 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehRec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\DDS\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.elt\applic~1\mozilla\firefox\profiles\lmmw0xax.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-8 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-8 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-8 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-8 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-7-8 200576]
S2 gupdate1c9ffeb440e081c;Google Update Service (gupdate1c9ffeb440e081c);c:\program files\google\update\GoogleUpdate.exe [2009-7-8 133104]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-7-8 69692]

=============== Created Last 30 ================

2009-08-28 23:54 <DIR> --d----- c:\program files\DDS
2009-08-27 17:13 <DIR> --d----- c:\program files\Trend Micro
2009-08-27 15:23 <DIR> --d----- c:\docume~1\owner~1.elt\applic~1\AVG8
2009-08-26 23:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-26 23:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-26 12:25 157,712 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-26 12:01 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-26 12:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-16 05:15 <DIR> --d----- c:\documents and settings\owner.eltelaptop\.housecall6.6
2009-08-14 17:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-08-13 04:28 1,409 a------- c:\windows\QTFont.for
2009-08-13 04:28 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-12 19:13 46,078 a------- c:\windows\Sysvxd.exe
2009-08-12 15:43 <DIR> --d----- c:\docume~1\owner~1.elt\applic~1\Logs
2009-08-12 03:03 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-09 17:31 <DIR> --d----- c:\program files\Atomic Runner
2009-08-09 14:34 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-07-31 15:08 <DIR> --d----- c:\docume~1\owner~1.elt\applic~1\BitTorrent
2009-07-31 15:08 <DIR> --d----- c:\program files\BitTorrent

==================== Find3M ====================

2009-08-29 09:40 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 09:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-18 03:07 1,180 a------- c:\docume~1\owner~1.elt\applic~1\wklnhst.dat
2009-08-05 10:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 19:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-08 22:25 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-08 21:32 17,801 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-08 21:27 8,552 a------- c:\windows\system32\drivers\asctrm.sys
2009-07-08 19:22 499,712 a------- c:\windows\system32\msvcp71.dll
2009-07-08 19:22 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-08 18:40 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-26 17:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 17:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 19:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 19:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 19:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 19:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 19:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 19:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 19:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 19:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 19:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 19:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 19:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 19:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 09:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 09:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 09:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 12:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 12:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 12:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 15:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 12:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 12:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 08:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 20:24 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 11:30:02.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 PM

Posted 30 August 2009 - 11:35 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 31 August 2009 - 02:47 AM

Hi Sam...thank u for replying...unfortunately i thinkyou`ve drawn the short straw (idiot user)...have downloaded combofix but when i doubleclick the icon on my desktop nothing happens...tried right click and 'run as' which gives me a choice of two user accounts...

Current user(ELTELAPTOPbackslashOwner)...(had to type backslash as i bought laptop in US and live in UK..backslash key produces # and#key produces sign :( )

The following user :

Administrator

Password (blank) when i reinstalled windows a few weeks ago i deliberately left password fields blank as its only me that uses this
laptop....


ive tried checking option box on both of these account options but combo fix still wont start...when i bootup laptop it doesnt askme for a password and it doesnt stop me running any other progs or making any other changes....ArthurE

#4 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 31 August 2009 - 04:37 AM

think it may still be middle of the night in US so adding that ive just discovered the following:- the other day i tried running microsoft malware removal tool, it reported it had removed:

Trojan:Win32 Alureon.BF
globalroot\systemroot\system32\UACaiqujrwwbt.dll (finally found `\' key after correcting keyboard setting! :( )

now when i run some programs windows displays a message giving prog name followed by by trojan filepath above and refers me to windows cd as that DLL cant be accessed...dont know if this is relevant to combofix not running...also re-reading my previous post think the user account comments are irrelevant...since other software runs ok. Have disabled AVG8.5 and spyware doctor...do i need to re-enable these when i connect to internet to check for your replies? thanks..ArthurE

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 PM

Posted 31 August 2009 - 12:04 PM

Yes, it's best if you re-enable your protective software once Combofix is done running.

Let's try something to see if we can get combofix to run. First delete combofix.exe from your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 31 August 2009 - 01:57 PM

Hi.....nothing on a computer ever works easily for me!...as you guessed it was my idiocy in forgetting to rename the combo-Fix file that stopped it running...however..it immediately gave a warning bleep and told me AVG8.5 was still running even tho i`d right clicked and disabled the system tray icon..went on the AVG site and checked their FAQ`s which said the resident shield is the main component of the anti virus and instructed me to double click this then uncheck the `active` box...done this but the AVG user interface tells me the anti spyware and anti virus components are still running...when i try double clicking these components they dont give me an `active` box to uncheck...thought of uninstalling AVG temporarily...but it doesnt appear in the add/remove programs list in windows control panel :( what should i do next....(sorry if i`m being reallydumb...but i did warn you....) thanks....

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 PM

Posted 31 August 2009 - 02:45 PM

Make sure you disable it from the task bar and then proceed with combofix, disregarding any notification that AVG is still running.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 31 August 2009 - 03:40 PM

Hi Sam, heres the combofix log:-

ComboFix 09-08-31.03 - Owner 31/08/2009 21:28.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.446.130 [GMT 1:00]
Running from: c:\documents and settings\Owner.ELTELAPTOP\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-387330229-896780806-503337124-500
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\drivers\SKYNETevtlqttk.sys
c:\windows\system32\drivers\UAChxypywjkmo.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETpdwortqb.dat
c:\windows\system32\SKYNETvleavdck.dat
c:\windows\system32\SKYNETvspjulnq.dll
c:\windows\system32\SKYNETyijbhvpf.dll
c:\windows\system32\UACaiqujrwwbt.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjmyqxyujkd.dll
c:\windows\system32\UACnbpsrrigdb.log
c:\windows\system32\UACthxdltoglp.dat
c:\windows\Sysvxd.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETjeyabuux
-------\Legacy_SKYNETjeyabuux
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-30 17:24 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-30 17:23 . 2009-08-30 17:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-30 17:19 . 2009-08-30 17:19 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-30 17:19 . 2009-08-31 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-30 16:17 . 2009-08-30 16:19 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot
2009-08-28 22:54 . 2009-08-28 22:54 -------- d-----w- c:\program files\DDS
2009-08-28 22:27 . 2009-08-28 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-27 16:13 . 2009-08-27 16:13 -------- d-----w- c:\program files\Trend Micro
2009-08-27 14:23 . 2009-08-27 14:23 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\AVG8
2009-08-26 22:34 . 2009-08-30 17:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 22:34 . 2009-08-30 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:25 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-26 11:01 . 2009-08-26 11:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-26 11:00 . 2009-08-26 11:00 152576 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-16 04:15 . 2009-08-26 11:19 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\.housecall6.6
2009-08-14 16:43 . 2009-08-14 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-08-12 14:43 . 2009-08-12 14:43 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Logs
2009-08-12 02:03 . 2009-08-12 02:03 -------- d-----w- c:\windows\ServicePackFiles
2009-08-09 20:37 . 2009-08-09 20:37 -------- d-----w- c:\windows\Sun
2009-08-09 16:31 . 2009-08-09 16:32 -------- d-----w- c:\program files\Atomic Runner
2009-08-09 13:34 . 2009-08-09 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-08-09 13:34 . 2009-08-09 13:34 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-08-09 10:27 . 2009-08-09 10:27 139 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Local Settings\Application Data\fusioncache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 20:28 . 2009-07-08 20:17 -------- d-----w- c:\program files\Google
2009-08-31 07:01 . 2009-07-08 16:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-30 17:31 . 2009-07-08 16:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 05:50 . 2009-07-08 17:40 -------- d-----w- c:\program files\AVG
2009-08-29 08:40 . 2009-07-08 17:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 08:40 . 2009-07-08 17:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 08:40 . 2009-07-08 17:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 11:23 . 2009-07-08 16:49 -------- d-----w- c:\program files\Spyware Doctor
2009-08-27 16:10 . 2009-07-08 20:23 -------- d-----w- c:\program files\Java
2009-08-18 02:07 . 2009-07-24 13:57 1180 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\wklnhst.dat
2009-08-17 16:30 . 2009-07-08 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-12 14:35 . 2009-07-31 14:08 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\BitTorrent
2009-08-09 13:30 . 2009-07-08 20:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-09 13:27 . 2009-07-08 20:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-05 09:11 . 2008-02-16 22:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 14:08 . 2009-07-31 14:08 -------- d-----w- c:\program files\BitTorrent
2009-07-24 14:01 . 2009-07-24 14:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Template
2009-07-23 18:18 . 2009-07-23 18:18 4 ----a-w- c:\windows\Pix1111.dat
2009-07-23 18:18 . 2009-07-08 20:25 4 ----a-w- c:\windows\Pix11.dat
2009-07-23 18:16 . 2009-07-23 18:16 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\CyberLink
2009-07-23 18:15 . 2009-07-23 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-07-19 16:06 . 2009-07-19 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-17 18:55 . 2008-02-16 22:21 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-02-16 22:30 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 22:20 . 2009-07-08 22:20 -------- d-----w- c:\program files\MSXML 4.0
2009-07-08 21:37 . 2009-07-08 20:16 -------- d-----w- c:\program files\BigFix
2009-07-08 21:25 . 2005-11-23 08:58 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-08 21:21 . 2005-11-23 09:38 32688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 21:16 . 2009-07-08 20:26 -------- d-----w- c:\program files\Napster
2009-07-08 21:16 . 2009-07-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-07-08 21:15 . 2009-07-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-08 21:12 . 2009-07-08 21:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-07-08 21:12 . 2009-07-08 21:12 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\McAfee.com Personal Firewall
2009-07-08 21:10 . 2009-07-08 20:27 -------- d-----w- c:\program files\Pure Networks
2009-07-08 21:09 . 2009-07-08 20:26 -------- d-----w- c:\program files\Common Files\AOL
2009-07-08 21:08 . 2009-07-08 21:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\AOL
2009-07-08 21:08 . 2009-07-08 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-07-08 20:33 . 2009-07-08 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-07-08 20:32 . 2009-07-08 20:32 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-08 20:31 . 2009-07-08 20:30 -------- d-----w- c:\program files\ATI Technologies
2009-07-08 20:31 . 2009-07-08 21:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\SampleView
2009-07-08 20:31 . 2009-07-08 20:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\SampleView
2009-07-08 20:30 . 2009-07-08 20:30 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-07-08 20:30 . 2009-07-08 20:30 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-07-08 20:30 . 2009-07-08 20:30 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-07-08 20:30 . 2009-07-08 20:30 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-07-08 20:29 . 2009-07-08 20:12 -------- d-----w- c:\program files\CONEXANT
2009-07-08 20:29 . 2009-07-08 20:29 -------- d-----w- c:\program files\Microsoft Money 2005
2009-07-08 20:29 . 2009-07-08 20:28 -------- d-----w- c:\program files\Microsoft Works
2009-07-08 20:28 . 2009-07-08 20:28 -------- d-----w- c:\program files\MSN Encarta Plus
2009-07-08 20:28 . 2009-07-08 21:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\You've Got Pictures Screensaver
2009-07-08 20:28 . 2009-07-08 20:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-07-08 20:28 . 2009-07-08 20:28 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-07-08 20:28 . 2009-07-08 20:27 -------- d-----w- c:\program files\QuickTime
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-07-08 20:27 . 2009-07-08 20:27 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\program files\Real
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\program files\Viewpoint
2009-07-08 18:22 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-08 18:22 . 2003-08-13 01:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-08 17:40 . 2009-07-08 17:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-08 17:34 . 2009-07-08 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-08 17:34 . 2009-07-08 20:34 -------- d-----w- c:\program files\McAfee
2009-07-08 16:52 . 2009-07-08 16:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-08 16:49 . 2009-07-08 16:49 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\PC Tools
2009-07-08 16:49 . 2009-07-08 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-26 16:18 . 2008-02-16 22:30 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2008-02-16 22:24 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2008-02-16 22:26 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2008-02-16 22:26 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2008-02-16 22:26 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2008-02-16 22:26 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2008-02-16 22:26 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2008-02-16 22:26 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2008-02-16 22:26 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2008-02-16 22:26 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2008-02-16 22:26 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2008-02-16 22:26 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2008-02-16 22:26 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2008-02-16 22:26 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:44 . 2008-02-16 22:29 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2008-02-16 22:28 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2008-02-16 22:28 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2008-02-16 22:27 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2008-02-16 22:26 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2008-02-16 22:24 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:49 . 2008-02-16 22:26 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2008-02-16 22:26 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2008-02-16 22:26 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2008-02-16 22:26 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2008-02-16 22:24 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2008-02-16 22:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2008-02-16 22:23 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2008-02-16 22:29 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2008-02-16 22:29 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2008-02-16 22:21 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-02-16 22:30 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2008-02-16 22:27 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:24 . 2005-11-23 07:12 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-07-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-26 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 08:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [08/07/2009 17:50 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/07/2009 18:40 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/07/2009 18:40 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/07/2009 18:40 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/07/2009 18:40 297752]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [08/07/2009 20:02 200576]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [08/07/2009 19:58 69692]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [08/07/2009 17:50 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-02-16 19:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.ELTELAPTOP\Application Data\Mozilla\Firefox\Profiles\lmmw0xax.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-08-31 21:38
ComboFix-quarantined-files.txt 2009-08-31 20:38

Pre-Run: 43,698,069,504 bytes free
Post-Run: 44,420,157,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

278 --- E O F --- 2009-08-30 22:07

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 PM

Posted 01 September 2009 - 11:34 AM

Looking much better now. Just a few small items that I notice and then we'll want to pick off any remnants left over with Malwarebytes.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 01 September 2009 - 12:53 PM

Hi Sam, logs follow:

ComboFix 09-08-31.03 - Owner 31/08/2009 21:28.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.446.130 [GMT 1:00]
Running from: c:\documents and settings\Owner.ELTELAPTOP\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-387330229-896780806-503337124-500
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\drivers\SKYNETevtlqttk.sys
c:\windows\system32\drivers\UAChxypywjkmo.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETpdwortqb.dat
c:\windows\system32\SKYNETvleavdck.dat
c:\windows\system32\SKYNETvspjulnq.dll
c:\windows\system32\SKYNETyijbhvpf.dll
c:\windows\system32\UACaiqujrwwbt.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjmyqxyujkd.dll
c:\windows\system32\UACnbpsrrigdb.log
c:\windows\system32\UACthxdltoglp.dat
c:\windows\Sysvxd.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETjeyabuux
-------\Legacy_SKYNETjeyabuux
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-30 17:24 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-30 17:23 . 2009-08-30 17:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-30 17:19 . 2009-08-30 17:19 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-30 17:19 . 2009-08-31 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-30 16:17 . 2009-08-30 16:19 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot
2009-08-28 22:54 . 2009-08-28 22:54 -------- d-----w- c:\program files\DDS
2009-08-28 22:27 . 2009-08-28 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-27 16:13 . 2009-08-27 16:13 -------- d-----w- c:\program files\Trend Micro
2009-08-27 14:23 . 2009-08-27 14:23 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\AVG8
2009-08-26 22:34 . 2009-08-30 17:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 22:34 . 2009-08-30 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:25 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-26 11:01 . 2009-08-26 11:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-26 11:00 . 2009-08-26 11:00 152576 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-16 04:15 . 2009-08-26 11:19 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\.housecall6.6
2009-08-14 16:43 . 2009-08-14 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-08-12 14:43 . 2009-08-12 14:43 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Logs
2009-08-12 02:03 . 2009-08-12 02:03 -------- d-----w- c:\windows\ServicePackFiles
2009-08-09 20:37 . 2009-08-09 20:37 -------- d-----w- c:\windows\Sun
2009-08-09 16:31 . 2009-08-09 16:32 -------- d-----w- c:\program files\Atomic Runner
2009-08-09 13:34 . 2009-08-09 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-08-09 13:34 . 2009-08-09 13:34 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-08-09 10:27 . 2009-08-09 10:27 139 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Local Settings\Application Data\fusioncache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 20:28 . 2009-07-08 20:17 -------- d-----w- c:\program files\Google
2009-08-31 07:01 . 2009-07-08 16:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-30 17:31 . 2009-07-08 16:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 05:50 . 2009-07-08 17:40 -------- d-----w- c:\program files\AVG
2009-08-29 08:40 . 2009-07-08 17:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 08:40 . 2009-07-08 17:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 08:40 . 2009-07-08 17:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 11:23 . 2009-07-08 16:49 -------- d-----w- c:\program files\Spyware Doctor
2009-08-27 16:10 . 2009-07-08 20:23 -------- d-----w- c:\program files\Java
2009-08-18 02:07 . 2009-07-24 13:57 1180 ----a-w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\wklnhst.dat
2009-08-17 16:30 . 2009-07-08 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-12 14:35 . 2009-07-31 14:08 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\BitTorrent
2009-08-09 13:30 . 2009-07-08 20:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-09 13:27 . 2009-07-08 20:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-05 09:11 . 2008-02-16 22:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 14:08 . 2009-07-31 14:08 -------- d-----w- c:\program files\BitTorrent
2009-07-24 14:01 . 2009-07-24 14:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\Template
2009-07-23 18:18 . 2009-07-23 18:18 4 ----a-w- c:\windows\Pix1111.dat
2009-07-23 18:18 . 2009-07-08 20:25 4 ----a-w- c:\windows\Pix11.dat
2009-07-23 18:16 . 2009-07-23 18:16 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\CyberLink
2009-07-23 18:15 . 2009-07-23 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-07-19 16:06 . 2009-07-19 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-17 18:55 . 2008-02-16 22:21 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-02-16 22:30 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 22:20 . 2009-07-08 22:20 -------- d-----w- c:\program files\MSXML 4.0
2009-07-08 21:37 . 2009-07-08 20:16 -------- d-----w- c:\program files\BigFix
2009-07-08 21:25 . 2005-11-23 08:58 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-08 21:21 . 2005-11-23 09:38 32688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 21:16 . 2009-07-08 20:26 -------- d-----w- c:\program files\Napster
2009-07-08 21:16 . 2009-07-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-07-08 21:15 . 2009-07-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-08 21:12 . 2009-07-08 21:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-07-08 21:12 . 2009-07-08 21:12 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\McAfee.com Personal Firewall
2009-07-08 21:10 . 2009-07-08 20:27 -------- d-----w- c:\program files\Pure Networks
2009-07-08 21:09 . 2009-07-08 20:26 -------- d-----w- c:\program files\Common Files\AOL
2009-07-08 21:08 . 2009-07-08 21:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\AOL
2009-07-08 21:08 . 2009-07-08 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-07-08 20:33 . 2009-07-08 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-07-08 20:32 . 2009-07-08 20:32 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-08 20:31 . 2009-07-08 20:30 -------- d-----w- c:\program files\ATI Technologies
2009-07-08 20:31 . 2009-07-08 21:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\SampleView
2009-07-08 20:31 . 2009-07-08 20:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\SampleView
2009-07-08 20:30 . 2009-07-08 20:30 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-07-08 20:30 . 2009-07-08 20:30 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-07-08 20:30 . 2009-07-08 20:30 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-07-08 20:30 . 2009-07-08 20:30 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-07-08 20:29 . 2009-07-08 20:12 -------- d-----w- c:\program files\CONEXANT
2009-07-08 20:29 . 2009-07-08 20:29 -------- d-----w- c:\program files\Microsoft Money 2005
2009-07-08 20:29 . 2009-07-08 20:28 -------- d-----w- c:\program files\Microsoft Works
2009-07-08 20:28 . 2009-07-08 20:28 -------- d-----w- c:\program files\MSN Encarta Plus
2009-07-08 20:28 . 2009-07-08 21:01 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\You've Got Pictures Screensaver
2009-07-08 20:28 . 2009-07-08 20:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-07-08 20:28 . 2009-07-08 20:28 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-07-08 20:28 . 2009-07-08 20:27 -------- d-----w- c:\program files\QuickTime
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-07-08 20:27 . 2009-07-08 20:27 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\program files\Real
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-08 20:27 . 2009-07-08 20:27 -------- d-----w- c:\program files\Viewpoint
2009-07-08 18:22 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-08 18:22 . 2003-08-13 01:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-08 17:40 . 2009-07-08 17:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-08 17:34 . 2009-07-08 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-08 17:34 . 2009-07-08 20:34 -------- d-----w- c:\program files\McAfee
2009-07-08 16:52 . 2009-07-08 16:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-08 16:49 . 2009-07-08 16:49 -------- d-----w- c:\documents and settings\Owner.ELTELAPTOP\Application Data\PC Tools
2009-07-08 16:49 . 2009-07-08 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-26 16:18 . 2008-02-16 22:30 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2008-02-16 22:24 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2008-02-16 22:26 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2008-02-16 22:26 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2008-02-16 22:26 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2008-02-16 22:26 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2008-02-16 22:26 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2008-02-16 22:26 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2008-02-16 22:26 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2008-02-16 22:26 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2008-02-16 22:26 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2008-02-16 22:26 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2008-02-16 22:26 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2008-02-16 22:26 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:44 . 2008-02-16 22:29 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2008-02-16 22:28 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2008-02-16 22:28 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2008-02-16 22:27 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2008-02-16 22:26 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2008-02-16 22:24 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:49 . 2008-02-16 22:26 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2008-02-16 22:26 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2008-02-16 22:26 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2008-02-16 22:26 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2008-02-16 22:24 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2008-02-16 22:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2008-02-16 22:23 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2008-02-16 22:29 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2008-02-16 22:29 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2008-02-16 22:21 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-02-16 22:30 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2008-02-16 22:27 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:24 . 2005-11-23 07:12 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-08 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-07-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-26 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 08:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [08/07/2009 17:50 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/07/2009 18:40 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/07/2009 18:40 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/07/2009 18:40 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/07/2009 18:40 297752]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [08/07/2009 20:02 200576]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [08/07/2009 19:58 69692]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [08/07/2009 17:50 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-02-16 19:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.ELTELAPTOP\Application Data\Mozilla\Firefox\Profiles\lmmw0xax.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-08-31 21:38
ComboFix-quarantined-files.txt 2009-08-31 20:38

Pre-Run: 43,698,069,504 bytes free
Post-Run: 44,420,157,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

278 --- E O F --- 2009-08-30 22:07







Malwarebytes' Anti-Malware 1.40
Database version: 2725
Windows 5.1.2600 Service Pack 2

01/09/2009 18:21:41
mbam-log-2009-09-01 (18-21-41).txt

Scan type: Quick Scan
Objects scanned: 94166
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1727811498-2590716644-3829624948-1006\Dc2.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot\Log\2009 Aug 30 - 05_17_47 PM_093.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ELTELAPTOP\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.


computer seems to be working fine...slight query re drive D (recovery partition i think)...MWB didnt seem to offer me an option to check different drives ...do i need to do anything extra about this? (i notice in the combofix log other deletions section it refers to a D autorun.inf file?)

also windows keeps nagging me to install IE7..i seem to remember ages ago changing back from IE7 to IE6 as IE7 stopped me uninstalling something (cant remember what)..i use firefox as i read that it was less likely to be attacked than IE...should i update to IE7 anyway for security purposes ?

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 PM

Posted 01 September 2009 - 01:22 PM

I'm certain there's a way to have Malwarebytes scan your D: drive, at least I think so. I haven't done it myself so I guess I can't take you through the right steps. Just poke around in the settings and you should be able to figure it out.

I'm a firefox guy myself and only use IE if I need to visit Windows Updates. I think Firefox is by default a much safer and more secure browser, but I would go ahead and update IE to the current version. It should be up to version 8 by now. The updated versions will be include security updates and fixes that I know IE6 won't have.


Assuming everything is running smoothly, let me give you some last steps and some recommendations.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 01 September 2009 - 02:43 PM

Hiya Sam...

found the Drives option in the MWB full scan screen...ran full scan which threw up the two files in the following log:

Malwarebytes' Anti-Malware 1.40
Database version: 2725
Windows 5.1.2600 Service Pack 2

01/09/2009 20:14:29
mbam-log-2009-09-01 (20-14-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 141196
Time elapsed: 24 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjmyqxyujkd.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP52\A0009389.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


I`m guessing i can go ahead with uninstalling combofix now then follow your instruction to disable/re-enable recovery ...then run MWB scan again?
also...now ive installed MWB would you recommend i uninstall spyware doctor(free version) before i install spy search and destroy? I was running AVG8.5 alongside spyware doctor....spent a couple of hours this morning reading the bc material on antivirus options...i realise it might be undiplomatic for u to choose one for me but i got the impression kaspersky , avira, and NOD32 were highly regarded, would u recommend i replace AVG8.5(free) with one of these?

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:54 PM

Posted 02 September 2009 - 11:09 AM

Those two items that were detected are quarantined or in your system restore. Either way, taking the steps that I posted will eliminate both and anything else lurking in those places.

I don't think the free version of Spyware Doctor will actually remove any malware. It will detect it just fine, but I believe you'd have to purchase the full version for the removal. Spybot is better in that it's completely free and will remove whatever it finds.

Over the years I've recommended AVG many times. But it does appear that it's not as strong as it once was and I've even just recently removed it from one of my computers and installed Avast in it's place. I've always heard very good things about Nod32, although I am seeing many infected logs here lately where it was supposed to be providing the protection. For what it's worth, I haven't seen a log with Kaspersky in it for quite a while.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 02 September 2009 - 03:38 PM

Hi Sam,

followed your instructions and everything seems hunky-dory!....thanks also for the excellent advice which i am following carefully!!
I am truly grateful for your time and effort..what you guys do is brilliant..i am now an avid fan of BC and determined to read up on the reams of stuff i dont know in the archives and tutorials..and i will be making a donation...

this brings me to one last question if you have time...up til a few weeks ago i have been using my computer to do my online banking as it is far more convenient....providing i take all the precautions you have suggested, do you think it is safe to continue to do this and to use a credit card for purchases from reliable sites with secure servers such as amazon...or is it simply too risky in the current internet environment with identity theft and spyware so prevalent?
I would be grateful for an expert opinion as it is difficult for a non-technical person like me to see the true risk amongst all the hype and media scares...
Thanks again,

ArthurE :(

#15 ArthurEngland

ArthurEngland
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 03 September 2009 - 05:01 AM

P.S.

Hiya Sam....sleepless night dreaming about computer security....have read all the excellent articles you directed me too and feel im beginning to get a handle on this stuff..two small queries...when i tried to install the free zonealarm firewall it gave me the message

This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows installerpatch package.

...is this something obvious eg. do i need to disable the windows firewall or anything else before attempting to install zonealarm? (not being lazy asking you! i did look on their site for this info but couldnt find it) or should i simply leave that one and install Outpost free firewall?

Secondly, about to remove AVG8.5(free) and following your advice replace it with Avast (free)...having read all the articles you suggested it seems that the way all these companies compete and swap positions in independent(?) trials that the average user (like me) is pretty much as well off with the free versions of anti-virus, anti-spyware, and firewall as commercial versions providing i keep updating and referring to expert guidance from BC.com...would you say this is roughly true? (i have bought commercial versions of anti-virus in the past) is there any obvious exception to this? i.e. is there any piece of commercial anti-virus, anti-spyware or firewall which you would advise me is a "must have"? thanks again ArthurE

P.P.S. have just subscribed to ESPN sports to get get extra English Premier league Football(soccer) Matches and find they also give me live U.S. baseball...shall now be supporting Cleveland Indians (is that the right team?) :( :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users