Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Infected with Virus Remnants?


  • This topic is locked This topic is locked
12 replies to this topic

#1 germanguyuk

germanguyuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 23 January 2010 - 10:21 AM

I posted a message in another forum and on advice of Quietman7 I was asked to run a DDS report and attach it to this posting. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/289278/can-you-please-check-if-i-removed-my-previous-infection-completely/ ~ OB

Here's my original posting copy:

Hi there and thanks for your reply.

I am running a laptop with 2GB memory, Win 7 Professional, and use Free AVG antivirus.
Plus I use Free KeyScrambler on both IE & Mozilla.

Well it started with an error on my behalf of allowing through a fake icon to get Internet Security onto my PC. Then, as the HD went crazy I realised that something wrong was going on and I disconnected my internet connection a few moments later. Sadly, too late. I had the Internet Security 2010 screen already on my desktop.

Apart from the annoying instance of Internet Security 2010 running and taking over the PC in speed and responsiveness, I also noticed that any links listed in google would re-direct to other sites rather than the one I wanted.

After that mishap, I followed some of the advice I found in your forums, not how to change the system, but what tools to use to check for virus remnants.

I used the following software:

- MalWareBytes - found nothing
- Spybot - found some tracking cookies and a tojan
- SpywareBlaster - found a trojan
- SuperAntiSpyware - found nothing
- Dr Web Cureit - found nothing
- PLUS various online antivirus checkers - found nothing
- TempFileCleaner - just a run to clear out the junk

Since then I have installed Threatfire, PC Tools Firewall and also have Spybot running with Teatimer.

While it all looks ok on the surface, I just want to make sure that it is the same 'underneath', and would like to ask for your assistance in this if possible.

Thanks very much.

Wolf[/i][/i]

Attached Files

  • Attached File  DDS.txt   17.76KB   2 downloads

Edited by Orange Blossom, 23 January 2010 - 11:30 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 29 January 2010 - 03:47 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 germanguyuk

germanguyuk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 29 January 2010 - 06:16 PM

Hello Eb,

Thnaks for your reply. I don't see any obvious signs of problems at the moment, but as I manually removed the IS 2010 malware. I want to make sure my system is clean again.

I ran both DDS & RootRepeal, whereas DDS worked fine, RootRepeal though would not work for me. I attach the reports for DDS and also a pic of the message I got from RootRepeal.

Thanks for your time with this.

Wolf

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 29 January 2010 - 07:06 PM

Hello.

I recommend you uninstall ThreatFire before continuing this. Furthermore, I do not recommend Threatfire due to the amount of "hooks" it hooks on to the system causing bad system performance.

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


Post those two logs in your next reply.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 germanguyuk

germanguyuk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 30 January 2010 - 08:57 AM

Hi Eb,

Once again for your feeback. On you advice I have now removed Threatfire and the system seems to be somewhat happier too in the startup.

Anyway, here are the 2 reports you asked me to include:

GMER results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-30 09:13:36
Windows 6.1.7600
Running: qbtb2jkz.exe; Driver: C:\Users\Wolf\AppData\Local\Temp\kxldqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0x941E3752]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0x941E3388]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0x941E3440]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0x941E3482]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0x941E3530]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0x941E3DD8]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0x941E3E64]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0x941E3EF4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0x941E3F96]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0x941E3D68]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0x941E3580]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0x941E35C2]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0x941E3606]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0x941E3648]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0x941E368A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0x941E36CC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0x941E379A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRequestWaitReplyPort [0x941E370E]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0x941E37DC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0x941E3824]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0x941E38B4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0x941E3866]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0x941E3958]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0x941E399A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0x941E39DC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0x941E3A2A]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E35AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E35104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E353F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1D634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1D898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E351DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E35958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E356F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E35F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E361A8

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


Here's are results for Kapersky:

Saturday, January 30, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, January 30, 2010 08:39:25
Records in database: 3386438


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Objects scanned 146704
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 04:09:03

No threats found. Scanned area is clean.
Selected area has been scanned.


Hope this meets the requirements you needed.

Thanks, Wolf

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 30 January 2010 - 04:11 PM

Hello.

That looks good. How's your computer running?

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 germanguyuk

germanguyuk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 30 January 2010 - 06:27 PM

Hi Eb,

My laptop is running ok and I have not had any problems so far, since removing the IS 2010 malware.
So I am pretty happy with it, and your last feedback was also very encouraging that I seem to have cleaned out the malware fully.

Here are the 2 reports you asked me to run again and post:

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Wolf at 23:21:40.42 on 30/01/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2038.1161 [GMT 0:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Wolf\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: blank
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\wolf\appdata\roaming\mozilla\firefox\profiles\yhwvorj1.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\wolf\appdata\roaming\mozilla\firefox\profiles\yhwvorj1.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-21 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-21 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-21 360584]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-18 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-21 285392]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-1-18 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-1-18 818432]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-16 1153368]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-11-11 115312]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2007-3-7 2595840]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-1-18 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-1-18 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-1-18 115216]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

=============== Created Last 30 ================

2010-01-27 07:05:13 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-27 07:05:13 2614272 ----a-w- c:\windows\explorer.exe
2010-01-23 16:28:53 49152 ----a-w- c:\windows\system32\INETWH32.DLL
2010-01-23 16:28:53 28672 ----a-w- c:\windows\system32\nnr.dll
2010-01-23 16:28:53 1056768 ----a-w- c:\windows\system32\ROBOEX32.DLL
2010-01-23 16:26:49 0 d-----w- c:\program files\NetObjects
2010-01-23 13:12:12 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2010-01-22 10:07:32 65536 --sha-w- c:\users\wolf\NTUSER.DAT{b5ad5c35-0733-11df-9e37-00c09fe549bc}.TM.blf
2010-01-22 10:07:32 524288 --sha-w- c:\users\wolf\NTUSER.DAT{b5ad5c35-0733-11df-9e37-00c09fe549bc}.TMContainer00000000000000000002.regtrans-ms
2010-01-22 10:07:32 524288 --sha-w- c:\users\wolf\NTUSER.DAT{b5ad5c35-0733-11df-9e37-00c09fe549bc}.TMContainer00000000000000000001.regtrans-ms
2010-01-22 09:22:53 0 d-----w- c:\users\wolf\appdata\roaming\Uniblue
2010-01-22 09:22:28 0 d-----w- c:\program files\Uniblue
2010-01-22 08:41:45 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 09:52:23 0 d-----w- c:\users\wolf\appdata\roaming\AVG9
2010-01-21 09:46:17 0 d--h--w- C:\$AVG
2010-01-21 09:46:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-21 09:46:11 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-21 09:46:00 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-21 09:45:51 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-21 09:45:20 0 d-----w- c:\programdata\avg9
2010-01-20 21:58:24 0 d-----w- c:\program files\WOT
2010-01-20 19:46:04 0 d-----w- c:\programdata\Alwil Software
2010-01-20 18:31:27 0 d-----w- c:\users\wolf\appdata\roaming\Foxit
2010-01-20 18:31:26 0 d-----w- c:\program files\Foxit Software
2010-01-19 21:07:45 65536 --sha-w- c:\users\wolf\NTUSER.DAT{cdb82971-053b-11df-b0fc-00c09fe549bc}.TM.blf
2010-01-19 21:07:45 524288 --sha-w- c:\users\wolf\NTUSER.DAT{cdb82971-053b-11df-b0fc-00c09fe549bc}.TMContainer00000000000000000002.regtrans-ms
2010-01-19 21:07:45 524288 --sha-w- c:\users\wolf\NTUSER.DAT{cdb82971-053b-11df-b0fc-00c09fe549bc}.TMContainer00000000000000000001.regtrans-ms
2010-01-19 18:25:29 0 d-----w- c:\programdata\Kaspersky Lab
2010-01-19 18:07:58 0 d-----w- c:\program files\SpywareBlaster
2010-01-19 10:03:11 0 d-----w- c:\users\wolf\DoctorWeb
2010-01-18 09:02:43 0 d-----w- c:\users\wolf\appdata\roaming\PCToolsFirewallPlus
2010-01-18 09:00:26 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-18 09:00:26 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-01-18 09:00:26 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-01-18 09:00:26 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-18 09:00:13 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-01-18 09:00:13 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-18 09:00:13 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-01-18 08:59:28 7435 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.cat
2010-01-18 08:59:28 7399 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.cat
2010-01-18 08:59:28 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-01-18 08:59:28 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-01-18 08:59:28 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-01-18 08:59:28 0 d-----w- c:\program files\common files\PC Tools
2010-01-18 08:59:26 7383 ----a-w- c:\windows\system32\drivers\pctplfw.cat
2010-01-18 08:59:26 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-01-18 08:59:24 0 d-----w- c:\program files\PC Tools Firewall Plus
2010-01-17 19:38:26 524288 --sha-w- c:\users\wolf\NTUSER.DAT{cd196ba8-0364-11df-b686-00c09fe549bc}.TMContainer00000000000000000002.regtrans-ms
2010-01-17 19:38:25 65536 --sha-w- c:\users\wolf\NTUSER.DAT{cd196ba8-0364-11df-b686-00c09fe549bc}.TM.blf
2010-01-17 19:38:25 524288 --sha-w- c:\users\wolf\NTUSER.DAT{cd196ba8-0364-11df-b686-00c09fe549bc}.TMContainer00000000000000000001.regtrans-ms
2010-01-17 19:08:23 0 d-----w- c:\program files\MSXML 4.0
2010-01-16 23:48:58 536576 ----a-w- c:\windows\system32\msvcr70d.dll
2010-01-16 23:48:57 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-01-16 23:48:57 20992 ----a-w- c:\windows\system32\temp.007
2010-01-16 02:46:30 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-16 02:41:27 0 d-----w- c:\users\wolf\appdata\roaming\SUPERAntiSpyware.com
2010-01-16 02:41:27 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 02:40:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-16 00:30:49 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-16 00:30:49 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 17:54:07 0 d-----w- c:\users\wolf\appdata\roaming\Malwarebytes
2010-01-15 17:54:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 17:54:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 17:54:00 0 d-----w- c:\programdata\Malwarebytes
2010-01-15 17:54:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 17:51:08 0 d--h--w- c:\windows\PIF
2010-01-15 13:09:12 938272 ----a-w- c:\windows\system32\wodFtpDLX.OCX
2010-01-15 12:49:07 0 d---a-w- c:\programdata\TEMP
2010-01-13 08:36:23 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 08:36:23 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 09:40:55 0 d-----w- c:\programdata\page
2010-01-12 09:40:55 0 d-----w- c:\program files\Ashampoo

==================== Find3M ====================

2010-01-19 08:24:54 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-05 09:55:39 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-05 09:55:39 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-11-21 09:57:38 806175 ----a-w- c:\windows\XSitePro2 Uninstaller.exe
2009-11-12 19:07:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:22:44.96 ===============


ATTACH Report:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 09/11/2009 22:33:59
System Uptime: 30/01/2010 23:13:20 (0 hours ago)

Motherboard: Acer, Inc. | | LuganoII
Processor: Intel® Pentium® M processor 1.73GHz | U1 | 1733/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 40 GiB total, 17.487 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 16 GiB total, 15.284 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP72: 27/01/2010 20:43:57 - Avg8 Update

==== Installed Programs ======================

7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
AllWebMenus PRO v4.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 2010
AVG Free 9.0
Bonjour
CCleaner
Connect
Database Oasis
Duplicate File Cleaner v2.5
Eusing Free Registry Cleaner
Foxit Reader
iTunes
Java™ 6 Update 17
Junk Mail filter update
KeyScrambler
kuler
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetObjects Fusion 10.0 Trial
OGA Notifier 2.0.0048.0
Paint Shop Pro 7
PC Tools Firewall Plus 6.0
PDFCreator
Photoshop Camera Raw
Quicksys RegDefrag 2.7
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype web features
Skype™ 4.1
Spybot - Search & Destroy
SpywareBlaster 4.2
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
Uniblue RegistryBooster 2010
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb977839)
VLC media player 1.0.3
Web CEO 8.0
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WOT for Internet Explorer
XSitePro2
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

30/01/2010 15:07:50, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
30/01/2010 14:25:24, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avg9wd service.
30/01/2010 14:24:56, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
30/01/2010 08:44:03, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
28/01/2010 09:52:17, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
24/01/2010 22:43:51, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
24/01/2010 22:43:51, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
24/01/2010 00:32:09, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.

==== End Of File ===========================


Thanks again.

Wolf

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 30 January 2010 - 07:34 PM

Hello.

That looks good. smile.gif

Just regarding one program. Uniblue registry cleaner/booster.

Registry Cleaner(s) Warning

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

miekiemoes offered a blog over here: http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
--
Other than that we can wrap up.

Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. smile.gif

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 germanguyuk

germanguyuk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 31 January 2010 - 06:28 AM

Hello Eb,

Thanks very much for your help once again. On your advice I have removed the Registry Booster installation and ran thereafter the OTC programme. Both went well.

Then I proceeded to create a new System Restore point in Windows 7. But it seems impossible to do as the system keeps freezing up every time after clicking on the System Restore link in.
I then tried to do it in safe mode, but there is no option to manually create a sys restore point, only to reset to a previous one.

So I am not sure what to do next???

Any advice on this?

Thanks again,

Wolf



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 31 January 2010 - 02:49 PM

Try the steps here: http://www.howtogeek.com/howto/windows-vis...system-restore/

Let me know at which part you have difficulty accomplishing. If it still doesn't work, we can set a automatic system restore point and see if that works instead.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 germanguyuk

germanguyuk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 31 January 2010 - 03:53 PM

Hi Eb,

this did the trick. Thanks very much for the link, I just could not work it out as I am new to Win 7. But all done now. Thanks very much for your support.

You may now close the ticket.

Wolf

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 31 January 2010 - 04:06 PM

No problem. Glad we could help out. smile.gif

Stay clean and happy surfing again.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 31 January 2010 - 04:09 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users