Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Browser Hijack


  • Please log in to reply
14 replies to this topic

#1 WadeHarman

WadeHarman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:31 AM

Posted 23 April 2010 - 02:05 PM

Last week my PC was infected with ave.exe, at the time I was running CA Internet Secuity Suite Plus 2009. I have also scanned with Ad-Aware, Malwarebyte, SuperAntiSpyware and Remove FakeAntivirus to remove this and several other viruses/malware. I now have CA ISSP 2010 installed and I believe ave.exe is removed, but my browser is hijacked. Clicking on links will spawn add sites.
I have checked the registry for IE launch to see if IE was spawned by another program and the entry is below and appears clean:
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\\Program Files\\Internet Explorer\\iexplore.exe"

I am running a clone with Dual Core 2.66, 2GB RAM, WinXP Home SP3
IE 8.0.6

I have removed IE toolbars (Yahoo) and addins (Active X, Shockwave & Flash) but did not solve the problem.

I ran DDS.scr and attached the logs
I tried to run GMER 3 times and it locked my PC up when I tried to save the log, it takes my PC about 5 hrs to run the scan. From the comment below it looks like malware taking CPU time. So I have attached a partial log, hope it helps.
I have also attached HiJackThis log

While preparing the logs today on the infected PC and attempting to upload them the CPU maxed out and I rebooted. The resulting quickscan cleaned the following infections
Win32/Pecoan.AI
Win32/Yabector.A

I am now uploading the files from a different PC.

It has been a few years since I was a PC technician, but this one has me stumped. Please let me know what you find and what I need to do next. Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 25 April 2010 - 04:42 PM


Hello WadeHarman smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Looks like you have one of the newer versions of the TDL3 rootkit. We should be able to clean it up with some work.




Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.









Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 WadeHarman

WadeHarman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:31 AM

Posted 28 April 2010 - 04:30 PM

Thanks for your reply and assistance. Below is the ComboFix log. I did have some problems disabling CA Security, so I rebooted in Safe Mode w/ network access. Hope this didn't cause a problem. I see in the log it found several issues. I would have replied sooner, but Yahoo caught the notification email as spam, glad I checked the board today.

Let me know what is next. Thanks.

********************
ComboFix 10-04-28.03 - Wade Harman 04/28/2010 16:01:02.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1779 [GMT -5:00]
Running from: c:\documents and settings\Wade Harman\My Documents\My Dropbox\ComboFix.exe
AV: CA Anti-Virus Plus *On-access scanning enabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Wade Harman\Local Settings\Application Data\ave.exe
c:\documents and settings\Wade Harman\Local Settings\Temporary Internet Files\0SqMDYPs.jpg
c:\documents and settings\Wade Harman\Local Settings\Temporary Internet Files\fmgP5j3.jpg
c:\documents and settings\Wade Harman\Local Settings\Temporary Internet Files\jyeYx7.jpg
c:\documents and settings\Wade Harman\Local Settings\Temporary Internet Files\vOARs.jpg
c:\documents and settings\Wade Harman\Local Settings\Temporary Internet Files\yKbm4Jxm.jpg
c:\documents and settings\Wade Harman\Local Settings\Temporary Internet Files\yOxxynplB.jpg
c:\documents and settings\Wade Harman\System
c:\documents and settings\Wade Harman\System\win_qs8.jqx
C:\LOG14.tmp
C:\LOG9.tmp
c:\recycler\S-1-5-21-117609710-838170752-839522115-1004
c:\windows\herjek.config
c:\windows\system32\ctfmon .exe
c:\windows\system32\dadr.dat
c:\windows\system32\drivers\down
c:\windows\system32\drivers\down\51580468.exe
c:\windows\system32\nwiz .exe
c:\windows\system32\rundll32 .exe
c:\windows\v0500mon .exe

Infected copy of c:\windows\system32\drivers\Mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_PRAGMANKIQMBEXNC
-------\Service_PRAGMAnkiqmbexnc


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-22 05:08 . 2010-04-23 18:24 -------- d-----w- C:\BleepingComputer
2010-04-21 03:44 . 2010-04-21 15:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\CallingID
2010-04-19 20:27 . 2010-04-28 20:18 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\CallingID
2010-04-19 20:27 . 2010-04-21 15:29 -------- d-----w- c:\program files\ISSThirdParty
2010-04-19 20:27 . 2009-11-20 21:19 201968 ----a-w- c:\windows\system32\Isafprod.dll
2010-04-19 20:27 . 2009-11-20 21:18 95472 ----a-w- c:\windows\system32\Vetredir.dll
2010-04-19 20:27 . 2009-11-20 21:18 128240 ----a-w- c:\windows\system32\Isafeif.dll
2010-04-19 20:25 . 2010-04-19 20:27 -------- d-----w- c:\program files\CA
2010-04-19 20:23 . 2010-04-21 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-04-19 19:38 . 2010-04-19 20:35 -------- d-----w- C:\Iyogi
2010-04-19 18:30 . 2010-04-19 18:30 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\SUPERAntiSpyware.com
2010-04-19 18:30 . 2010-04-19 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-19 17:54 . 2010-04-19 17:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-04-19 15:58 . 2010-04-22 14:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 15:58 . 2010-04-19 19:39 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 18:57 . 2010-04-17 18:57 -------- d-sh--w- c:\documents and settings\user\IETldCache
2010-04-16 22:22 . 2010-04-16 22:22 -------- d-----w- C:\$AVG
2010-04-16 21:45 . 2010-04-16 21:45 -------- d-----w- c:\program files\AVG
2010-04-16 21:44 . 2010-04-17 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-16 00:53 . 2010-04-16 00:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-14 15:11 . 2010-04-14 15:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 11:26 . 2010-04-14 11:26 -------- d-----w- c:\documents and settings\Wade Harman\Local Settings\Application Data\avG
2010-04-14 11:26 . 2010-04-14 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-13 16:44 . 2010-04-13 16:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-12 22:24 . 2010-04-12 22:24 4 ----a-w- c:\program files\323281.dat
2010-04-12 22:24 . 2010-04-12 22:24 4 ----a-w- c:\program files\323250.dat
2010-04-12 20:45 . 2010-04-12 20:45 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-12 03:08 . 2010-04-12 03:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-12 03:07 . 2010-04-12 03:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-12 03:01 . 2010-04-12 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 20:44 . 2009-12-09 03:24 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\Dropbox
2010-04-27 16:49 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\Mouclass.sys
2010-04-21 19:10 . 2009-04-15 20:29 -------- d-----w- c:\program files\eMusic Download Manager
2010-04-21 19:10 . 2009-04-15 20:30 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\eMusic
2010-04-20 16:53 . 2007-09-17 03:29 -------- d-----w- c:\program files\Yahoo!
2010-04-20 16:51 . 2007-10-01 16:55 -------- d-----w- c:\program files\Real
2010-04-20 16:51 . 2009-11-04 21:52 -------- d-----w- c:\program files\Google
2010-04-20 16:49 . 2009-08-22 02:48 -------- d-----w- c:\program files\ElcomSoft
2010-04-19 20:57 . 2009-03-04 20:38 -------- d-----w- c:\program files\FormatFactory
2010-04-19 20:25 . 2007-09-18 19:34 -------- d-----w- c:\program files\Lavasoft
2010-04-19 20:21 . 2009-03-27 18:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-19 20:09 . 2009-03-27 18:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-19 20:08 . 2007-09-18 19:34 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\Lavasoft
2010-04-19 20:05 . 2009-03-27 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2010-04-17 20:39 . 2007-09-29 21:43 -------- d-----w- c:\program files\UMBookWorship
2010-04-15 16:59 . 2010-03-25 15:45 -------- d-----w- c:\program files\QuickTime
2010-04-15 16:59 . 2009-01-06 23:36 -------- d-----w- c:\program files\ooVoo
2010-04-15 16:51 . 2007-09-16 23:43 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-04-14 16:05 . 2009-01-08 00:02 -------- d-----w- c:\program files\Brownie
2010-04-14 16:05 . 2007-09-18 16:22 -------- d-----w- c:\program files\Lexmark Fax Solutions
2010-04-14 16:05 . 2007-09-18 16:20 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-04-14 15:42 . 2007-09-18 03:55 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-04-07 21:36 . 2007-09-25 03:37 59 -c--a-w- c:\windows\wpd99.drv
2010-04-07 21:36 . 2007-09-25 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-25 15:45 . 2007-09-11 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 20:42 . 2007-10-01 16:55 -------- d-----w- c:\program files\Common Files\Real
2010-03-09 20:42 . 2010-03-09 20:42 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-09 20:42 . 2007-09-11 17:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-09 20:42 . 2007-09-11 17:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-05 03:17 . 2010-03-05 03:17 -------- d-----w- c:\program files\Paint.NET
2010-03-05 00:41 . 2007-09-11 18:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-04 11:07 . 2010-03-04 11:07 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-04 06:47 . 2010-03-04 06:47 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\Malwarebytes
2010-03-04 06:47 . 2010-03-04 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 19:27 . 2009-01-06 23:37 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\ooVoo Details
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 -c--a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\ASUS\AASP\1.00.17\asrunhelp .exe
c:\program files\Brownie\brstswnd .exe
c:\program files\Common Files\Ahead\Lib\nerocheck .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark 1200 Series\lxczbmgr .exe
c:\program files\Lexmark Fax Solutions\fm3032 .exe
c:\program files\Microsoft ActiveSync\wcescomm     .exe
c:\program files\Microsoft IntelliType Pro\type32 .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask              .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-21 1721680]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2010-04-21 337136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"wwfklowf"="c:\documents and settings\Wade Harman\Local Settings\Application Data\ualhhatik\cjegiditssd.exe" [N/A]
"asam"="c:\windows\asam.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Wade Harman\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-3 49254]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-6-3 169472]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-9-17 106560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Reminders.lnk - c:\program files\Broderbund\AG Spirit\AGremind.exe [2007-9-18 319488]
Status Display.lnk - c:\program files\Panasonic\Panasonic KX-P7105 and KX-P7110\Status display\stmndsp.exe [2007-9-18 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.00629968\LinkAdvisor\CIDLinkAdvisor.dll" [2010-03-22 1852856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 21:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ias"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [12/23/2009 11:29 AM 132088]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [9/18/2007 1:00 PM 10240]
S0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 wwfiuf;wwfiuf; [x]
S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [12/23/2009 11:29 AM 78840]
S1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/2/2009 6:29 PM 53240]
S1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/8/2009 11:02 AM 115704]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [4/19/2010 3:25 PM 206160]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 5:54 AM 135664]
S2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [8/14/2009 12:43 PM 145912]
S2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/30/2009 5:51 PM 60920]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 11:42 AM 887288]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [7/13/2009 11:39 AM 760664]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [7/27/2009 4:40 PM 227832]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\flyusb.sys [12/29/2008 3:34 PM 18560]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [9/18/2007 11:08 AM 39048]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [3/27/2009 4:27 PM 598656]
S3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [9/30/2009 5:51 PM 239608]
S3 SASENUM;SASENUM;\??\c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [1/6/2009 6:07 PM 251264]
S4 KME Remote Server;KME Remote Server;c:\progra~1\PANASO~1\REMOTE~1\kmentsrv.exe [9/18/2007 11:30 AM 53248]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\cleanmgr.job
- c:\windows\System32\cleanmgr.exe [2006-02-28 00:12]

2010-04-19 c:\windows\Tasks\dfrg.job
- c:\windows\System32\dfrg.msc [2006-02-28 12:00]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:54]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:54]

2010-04-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2020637620-408939405-568730901-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2020637620-408939405-568730901-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-28 c:\windows\Tasks\User_Feed_Synchronization-{926012A2-727A-421F-9A42-AFD9D098F5DD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
LSP: c:\windows\system32\VetRedir.dll
Handler: callingid - {086D03BA-57AC-4C8E-A33D-0BAABF742411} - c:\program files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.00629968\Toolbar\CallingIDToolbar.dll
Handler: qv - {0B4BB6DC-D020-4173-97F2-3AD91AFD6559} - c:\program files\QuickVerse 2009\qvprotwrapper.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{A057A204-BACC-4D26-8087-36EE87E26986} - (no file)
SafeBoot-kedes.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 16:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\UmxWnp.Dll

- - - - - - - > 'explorer.exe'(176)
c:\windows\system32\WININET.dll
c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-04-28 16:18:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-28 21:18

Pre-Run: 180,531,363,840 bytes free
Post-Run: 182,260,584,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /safeboot:network

- - End Of File - - 45995C6C9D21ADAC991CB543E10CCA0F


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 28 April 2010 - 08:32 PM

You're welcome, glad I could help.

I would like you to try and upload a couple of files for me if you can find them. You may have to unhide hidden files and folders. I have provided instructions.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.







  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/index.php?showtopic=312064&view=findpost&p=1736421
  • Click Browse and select the c:\documents and settings\Wade Harman\Local Settings\Application Data\ualhhatik\cjegiditssd.exe
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.




Repeat the procedure with the file below:

c:\windows\asam.exe








Please rehide files and folders when completed:



Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 WadeHarman

WadeHarman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:31 AM

Posted 28 April 2010 - 10:01 PM

I could not find the two requested files. Hidden files were set to display (system files were displayed grayed out). I even searched C:\ for both files. The only hit I got was kaka://C:\Documents and Settings\Wade Harman\Local Settings\Application Data\ualhhatik\cjegidissd.exe/htmMain.htm in folder My Computer

I appears that these two registry keys are dead links.

So far no browser hijacking when trying to find and post the requested files from the infected PC.

FYI: after I ran ComboFix.exe and posted the results (I used another PC to post) I ran a full scan and found several more infections including Bifrost, WinAntiVirus Pro 2006, WinSpyware Protect, and Win32/Alureon.A!generic The last scan I made was 2 days ago! Hopefully ComboFix removed what is propogating this mess.

What is next? Could we have gotten the cause of this problem? If you think things are cleaned up, I have PC Tune Up to hopefully removed the dead links.

Thanks for your help.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 28 April 2010 - 10:16 PM

Not surprised you couldn't find them but I wanted to check anyway.

We have some more things to do. We'll run the script below and it should also clean off the two entries I asked you about if they exist.



Although it seemed to run OK ComboFix is designed to run in Normal Mode. See if these instructions will help you before you run the script. They may not work with your version.


QUOTE
  1. Right click on CA Antivirus icon near the clock (a shield).
  2. Click on CA Anti-Virus > Snooze Anti-Virus Protection.
  3. When prompted, enter in 30 and click on Snooze.




Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\ASUS\AASP\1.00.17\asrunhelp .exe
c:\program files\Brownie\brstswnd .exe
c:\program files\Common Files\Ahead\Lib\nerocheck .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark 1200 Series\lxczbmgr .exe
c:\program files\Lexmark Fax Solutions\fm3032 .exe
c:\program files\Microsoft ActiveSync\wcescomm     .exe
c:\program files\Microsoft IntelliType Pro\type32 .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask              .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"wwfklowf"=-
"asam"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 WadeHarman

WadeHarman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:31 AM

Posted 28 April 2010 - 11:12 PM

Below is the log for the requested scan, run in Normal mode. I did disable CA Firewall and Snooze the scanner. However, I was still prompted by ISS Alert manager for various programs to access files/registry.

I again ran a quick scan after running ComboFix and got more of the same infections (Bifrost, WinAntiVirus Pro 2006, WinSpyware Protect)

Let me know what is next. Thanks.

*******************
ComboFix 10-04-28.03 - Wade Harman 04/28/2010 22:36:37.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1575 [GMT -5:00]
Running from: c:\documents and settings\Wade Harman\My Documents\My Dropbox\ComboFix.exe
Command switches used :: c:\documents and settings\Wade Harman\My Documents\My Dropbox\CFScript.txt
AV: CA Anti-Virus Plus *On-access scanning enabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *disabled* {38102F93-1B6E-4922-90E1-A35D8DC6DAA3}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-22 05:08 . 2010-04-23 18:24 -------- d-----w- C:\BleepingComputer
2010-04-21 03:44 . 2010-04-21 15:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\CallingID
2010-04-19 20:28 . 2010-02-17 18:44 1725680 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\ISS\tmp\cazz_001.exe
2010-04-19 20:27 . 2010-04-29 03:27 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\CallingID
2010-04-19 20:27 . 2010-04-21 15:29 -------- d-----w- c:\program files\ISSThirdParty
2010-04-19 20:27 . 2009-11-20 21:19 201968 ----a-w- c:\windows\system32\Isafprod.dll
2010-04-19 20:27 . 2009-11-20 21:18 95472 ----a-w- c:\windows\system32\Vetredir.dll
2010-04-19 20:27 . 2009-11-20 21:18 128240 ----a-w- c:\windows\system32\Isafeif.dll
2010-04-19 20:25 . 2010-04-19 20:27 -------- d-----w- c:\program files\CA
2010-04-19 20:23 . 2010-04-21 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-04-19 19:38 . 2010-04-19 20:35 -------- d-----w- C:\Iyogi
2010-04-19 18:30 . 2010-04-19 18:30 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\SUPERAntiSpyware.com
2010-04-19 18:30 . 2010-04-19 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-19 17:54 . 2010-04-19 17:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-04-19 15:58 . 2010-04-22 14:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 15:58 . 2010-04-19 19:39 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-17 18:57 . 2010-04-17 18:57 -------- d-sh--w- c:\documents and settings\user\IETldCache
2010-04-16 22:22 . 2010-04-16 22:22 -------- d-----w- C:\$AVG
2010-04-16 21:45 . 2010-04-16 21:45 -------- d-----w- c:\program files\AVG
2010-04-16 21:44 . 2010-04-17 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-16 00:53 . 2010-04-16 00:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-14 15:11 . 2010-04-14 15:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 11:26 . 2010-04-14 11:26 -------- d-----w- c:\documents and settings\Wade Harman\Local Settings\Application Data\avG
2010-04-14 11:26 . 2010-04-14 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-13 16:44 . 2010-04-13 16:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-12 22:24 . 2010-04-12 22:24 4 ----a-w- c:\program files\323281.dat
2010-04-12 22:24 . 2010-04-12 22:24 4 ----a-w- c:\program files\323250.dat
2010-04-12 20:45 . 2010-04-12 20:45 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-12 03:08 . 2010-04-12 03:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-12 03:07 . 2010-04-12 03:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-12 03:01 . 2010-04-12 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 03:36 . 2010-03-25 15:45 -------- d-----w- c:\program files\QuickTime
2010-04-29 03:36 . 2007-09-18 16:22 -------- d-----w- c:\program files\Lexmark Fax Solutions
2010-04-29 03:36 . 2007-09-18 16:20 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-04-29 03:36 . 2007-09-18 03:55 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-04-29 03:36 . 2007-09-16 23:43 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-04-29 03:36 . 2009-01-08 00:02 -------- d-----w- c:\program files\Brownie
2010-04-29 03:22 . 2009-12-09 03:24 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\Dropbox
2010-04-27 16:49 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\Mouclass.sys
2010-04-21 19:10 . 2009-04-15 20:29 -------- d-----w- c:\program files\eMusic Download Manager
2010-04-21 19:10 . 2009-04-15 20:30 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\eMusic
2010-04-20 16:53 . 2007-09-17 03:29 -------- d-----w- c:\program files\Yahoo!
2010-04-20 16:51 . 2007-10-01 16:55 -------- d-----w- c:\program files\Real
2010-04-20 16:51 . 2009-11-04 21:52 -------- d-----w- c:\program files\Google
2010-04-20 16:49 . 2009-08-22 02:48 -------- d-----w- c:\program files\ElcomSoft
2010-04-19 20:57 . 2009-03-04 20:38 -------- d-----w- c:\program files\FormatFactory
2010-04-19 20:25 . 2007-09-18 19:34 -------- d-----w- c:\program files\Lavasoft
2010-04-19 20:21 . 2009-03-27 18:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-19 20:09 . 2009-03-27 18:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-19 20:08 . 2007-09-18 19:34 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\Lavasoft
2010-04-19 20:05 . 2009-03-27 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2010-04-19 20:05 . 2009-03-27 20:30 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2010-04-19 20:05 . 2009-03-27 20:30 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2010-04-17 20:39 . 2007-09-29 21:43 -------- d-----w- c:\program files\UMBookWorship
2010-04-15 16:59 . 2009-01-06 23:36 -------- d-----w- c:\program files\ooVoo
2010-04-07 21:36 . 2007-09-25 03:37 59 -c--a-w- c:\windows\wpd99.drv
2010-04-07 21:36 . 2007-09-25 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-25 15:45 . 2007-09-11 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 20:42 . 2010-03-09 20:42 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-09 20:42 . 2010-03-09 20:42 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-09 20:42 . 2010-03-09 20:42 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-09 20:42 . 2010-03-09 20:42 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-09 20:42 . 2010-03-09 20:42 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-09 20:42 . 2010-03-09 20:42 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-09 20:42 . 2010-03-09 20:42 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-09 20:42 . 2010-03-09 20:42 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-09 20:42 . 2007-10-01 16:55 -------- d-----w- c:\program files\Common Files\Real
2010-03-09 20:42 . 2010-03-09 20:42 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-09 20:42 . 2007-09-11 17:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-09 20:42 . 2007-09-11 17:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-05 03:17 . 2010-03-05 03:17 -------- d-----w- c:\program files\Paint.NET
2010-03-05 00:41 . 2007-09-11 18:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-04 11:07 . 2010-03-04 11:07 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-04 06:47 . 2010-03-04 06:47 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\Malwarebytes
2010-03-04 06:47 . 2010-03-04 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 19:27 . 2009-01-06 23:37 -------- d-----w- c:\documents and settings\Wade Harman\Application Data\ooVoo Details
2010-02-26 16:36 . 2009-12-09 03:25 91696 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\Uninstall.exe
2010-02-26 16:36 . 2010-02-26 16:36 13264416 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\Dropbox.exe
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 21:31 . 2010-02-22 21:31 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-02-22 21:30 . 2010-02-22 21:30 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2010-02-22 21:29 . 2010-02-22 21:29 4852064 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\Leapster2Plugin.exe
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 -c--a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-21 1721680]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2010-04-21 337136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Wade Harman\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Wade Harman\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-3 49254]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-6-3 169472]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-9-17 106560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Reminders.lnk - c:\program files\Broderbund\AG Spirit\AGremind.exe [2007-9-18 319488]
Status Display.lnk - c:\program files\Panasonic\Panasonic KX-P7105 and KX-P7110\Status display\stmndsp.exe [2007-9-18 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.00629968\LinkAdvisor\CIDLinkAdvisor.dll" [2010-03-22 1852856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 21:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ias"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [12/23/2009 11:29 AM 132088]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [9/18/2007 1:00 PM 10240]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [12/23/2009 11:29 AM 78840]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/2/2009 6:29 PM 53240]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/8/2009 11:02 AM 115704]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [4/19/2010 3:25 PM 206160]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [8/14/2009 12:43 PM 145912]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/30/2009 5:51 PM 60920]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 11:42 AM 887288]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [7/13/2009 11:39 AM 760664]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [7/27/2009 4:40 PM 227832]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [9/30/2009 5:51 PM 239608]
R3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [1/6/2009 6:07 PM 251264]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 wwfiuf;wwfiuf; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 5:54 AM 135664]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\flyusb.sys [12/29/2008 3:34 PM 18560]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [9/18/2007 11:08 AM 39048]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [3/27/2009 4:27 PM 598656]
S3 SASENUM;SASENUM;\??\c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\WADEHA~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S4 KME Remote Server;KME Remote Server;c:\progra~1\PANASO~1\REMOTE~1\kmentsrv.exe [9/18/2007 11:30 AM 53248]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\cleanmgr.job
- c:\windows\System32\cleanmgr.exe [2006-02-28 00:12]

2010-04-19 c:\windows\Tasks\dfrg.job
- c:\windows\System32\dfrg.msc [2006-02-28 12:00]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:54]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:54]

2010-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2020637620-408939405-568730901-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2020637620-408939405-568730901-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-04-28 c:\windows\Tasks\User_Feed_Synchronization-{926012A2-727A-421F-9A42-AFD9D098F5DD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
LSP: c:\windows\system32\VetRedir.dll
Handler: callingid - {086D03BA-57AC-4C8E-A33D-0BAABF742411} - c:\program files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.00629968\Toolbar\CallingIDToolbar.dll
Handler: qv - {0B4BB6DC-D020-4173-97F2-3AD91AFD6559} - c:\program files\QuickVerse 2009\qvprotwrapper.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 22:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\UmxWnp.Dll
.
Completion time: 2010-04-28 22:51:46
ComboFix-quarantined-files.txt 2010-04-29 03:51
ComboFix2.txt 2010-04-28 21:18

Pre-Run: 182,141,349,888 bytes free
Post-Run: 182,123,909,120 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 1DCC3CFAAE8395ECE8588B43742702A0


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 29 April 2010 - 07:42 AM

Let's open up your MalwareBytes do an update then perform a Quick Scan to see what it will find. If it finds anything post the log, if not just let me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 WadeHarman

WadeHarman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:31 AM

Posted 29 April 2010 - 01:47 PM

When I noticed this problem, I had CA ISS 2009 installed. I decided to install MBAM, but it did not like CA installed and wanted to remove it, I opted to install MBAM without removing CA ISS. MBAM may have disabled my CA AntiSpyware which motivated me to install CA ISS 2010, but to do that I had to removed MBAM.

Any suggestions?

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 29 April 2010 - 04:11 PM

Lets try ESET instead: Until we take a look at what it may find let's uncheck Remove Found Threats(note here: that might not be the exact wording but it should be close).


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 WadeHarman

WadeHarman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:31 AM

Posted 29 April 2010 - 08:45 PM

OK, here is the log from ESET

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\down\51580468.exe.vir a variant of Win32/Packed.Themida application
C:\System Volume Information\_restore{B693CFB4-4E95-49D3-9A5E-CF770D8E159F}\RP13\A0013554.exe a variant of Win32/Packed.Themida application
C:\System Volume Information\_restore{B693CFB4-4E95-49D3-9A5E-CF770D8E159F}\RP2\A0005494.exe Win32/Adware.XPAntiSpyware.AA application


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 29 April 2010 - 09:01 PM

All three of those entries will be gone when we uninstall ComboFix. Are you experiencing any other problems now and have you had anymore alerts.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 03 May 2010 - 07:14 PM

Are you still with me?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 06 May 2010 - 04:20 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:31 AM

Posted 07 May 2010 - 06:59 PM

This topic reopened:

Since you advised me by PM everything is running good then we'll remove our tools and finish up.


Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.




You can go ahead and delete GMER and DDS now if they are still on your desktop.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


thewall




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users