Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antispyware Soft


  • This topic is locked This topic is locked
16 replies to this topic

#1 jdcrichton

jdcrichton

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 03 May 2010 - 10:25 AM

Hello,

I recently have discovered I have 'Antivirus soft' on my laptop.
I searched this and have tried to remove it initially using 'STOPzilla', which I was able to download, but as the virus wasnt allowing any programs to be opened including STOPzilla. I then found this webpage (http://www.virusremovalguru.com/?p=6088) and followed instructions to fix the problem.

So far I have:
1. Stopped the process ending tssd.exe in 'Task Manager'
2. Stopped sprocess ending in tssd.exe in 'msconfig'
3. Have been unable to run 'regedit.exe'.
- Ran HijackThis and fixed processes ending in tssd.exe in safe mode (C:Docs&Settings>Username>application data>.......tssd.exe
4. Still unable to run 'regedit.exe'
4. Still unable to open programs and STOPzilla.
5. Pop-ups and slow running persist but not as badly.

Still under attack, programs running very slowly/not opening.

Firefox also been hijacked. Random pages load, usually when using Google search and following links. Some web pages do not open and the status bar shows firefox is trying to load 'google-analytics.com'.......?

Norton Security History:
3rd May: Boot.Mebroot detected by auto protect - Fully Removed
3rd May: Boot.Mebroot detected by auto protect - Removed
3rd May: Boot.Mebroot detected by auto protect - Fully Removed
3rd May: Boot.Mebroot detected by auto protect - Removed
3rd May: Notepad.exe (downloader) detected by auto protect - Quarantined
3rd May: Boot.Mebroot detected by auto protect - Fully Removed
3rd May: Boot.Mebroot detected by auto protect - Removed
2nd May: Boot.Mebroot detected by auto protect - Fully Removed
2nd May: Boot.Mebroot detected by auto protect - Removed
2nd May: Boot.Mebroot detected by auto protect - Fully Removed
2nd May: Boot.Mebroot detected by auto protect - Removed
1st May: nvsvc32.exe (downloader) detected by auto protect - Quarantined
1st May: Boot.Mebroot detected by auto protect - Fully Removed
1st May: Boot.Mebroot detected by auto protect - Removed
1st May: qk1utvqwpf.dll (Trojan Horse) detected by auto protect - Quarantined
1st May: tmp00000044096fd74f364aee7e (Trojan Horse) detected by auto protect - Blocked
1st May: ycx.exe (ycx.exe) detected by SONAR - Quarantined
1st May: yvyroa.exe detected by SONAR - Quarantined



DDS (Ver_10-03-17.01) - FAT32x86
Run by John at 16:03:51.13 on 03/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.135 [GMT 1:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\John\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\john\locals~1\temp\services.exe
uRun: [hsf87sdhfush87fsufhuie3fddf] c:\docume~1\john\locals~1\temp\qpav7ocw.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [PCMService] "c:\program files\arcade\PCMService.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE
mRun: [SpeedTouch USB Diagnostics] "c:\program files\alcatel\speedtouch usb\Dragdiag.exe" /icon
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
mRun: [EPSON Stylus Photo R300 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_17.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.162.42,93.188.166.149
TCP: {78E8576D-821E-43E9-A12A-5232308D66C5} = 93.188.162.42,93.188.166.149
TCP: {AC06D7C7-B008-4FBF-87B6-09B52C748DCD} = 93.188.162.42,93.188.166.149
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\lzfipa3l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google Powered Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\lzfipa3l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\lzfipa3l.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\lzfipa3l.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1106000.020\symds.sys [2010-5-1 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1106000.020\symefa.sys [2010-5-1 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1106000.020\cchpx86.sys [2010-5-1 501888]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2004-8-30 6784]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1106000.020\ironx86.sys [2010-5-1 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-1 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20100422.002\IDSXpx86.sys [2010-5-1 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20100503.002\NAVENG.SYS [2010-5-3 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20100503.002\NAVEX15.SYS [2010-5-3 1324720]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2004-8-30 16000]
S0 saartf;saartf;c:\windows\system32\drivers\saartf.sys [2010-4-30 0]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2010-4-6 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2010-4-6 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2010-4-6 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2010-4-6 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2010-4-6 98568]

=============== Created Last 30 ================

2010-05-03 14:56:13 0 ----a-w- c:\documents and settings\john\defogger_reenable
2010-05-03 14:15:34 0 d-sh--w- C:\FOUND.002
2010-05-01 13:22:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-01 13:22:51 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-01 13:22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-01 13:22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-01 13:21:01 0 d-----w- c:\windows\system32\drivers\NAV
2010-05-01 13:20:55 0 d-----w- c:\program files\Norton AntiVirus
2010-05-01 13:20:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-05-01 13:20:13 0 d-----w- c:\program files\NortonInstaller
2010-05-01 13:20:13 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-05-01 12:53:08 0 d-sh--w- C:\FOUND.001
2010-05-01 01:33:52 350 ----a-w- c:\windows\system32\drivers\woueuhoe.dat
2010-04-30 21:57:20 0 d-----w- c:\program files\Trend Micro
2010-04-30 21:47:06 0 d-----w- c:\windows\pss
2010-04-30 19:59:19 0 d-sh--w- c:\documents and settings\john\PrivacIE
2010-04-30 19:56:11 0 d-----w- C:\spoolerlogs
2010-04-30 19:54:11 0 ----a-w- c:\windows\system32\drivers\saartf.sys
2010-04-26 13:29:49 0 d-----w- c:\program files\TuneUpMedia
2010-04-26 13:29:42 0 d-----w- c:\docume~1\john\applic~1\TuneUpMedia
2010-04-26 13:29:32 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2010-04-24 14:33:20 0 d-----w- c:\docume~1\john\applic~1\Azureus
2010-04-07 20:01:37 0 d-----w- c:\program files\MSXML 4.0
2010-04-07 01:23:14 0 d-----w- c:\docume~1\john\applic~1\Trusteer
2010-04-07 01:22:54 0 d-----w- c:\program files\Trusteer
2010-04-07 01:19:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-04-06 19:45:31 0 d-----w- c:\docume~1\john\applic~1\Teleca
2010-04-06 19:45:29 100488 ----a-r- c:\windows\system32\drivers\s115mgmt.sys
2010-04-06 19:45:25 98568 ----a-r- c:\windows\system32\drivers\s115obex.sys
2010-04-06 19:45:09 15112 ----a-r- c:\windows\system32\drivers\s115mdfl.sys
2010-04-06 19:45:09 12424 ----a-r- c:\windows\system32\drivers\s115cmnt.sys
2010-04-06 19:45:09 12424 ----a-r- c:\windows\system32\drivers\s115cm.sys
2010-04-06 19:45:09 108680 ----a-r- c:\windows\system32\drivers\s115mdm.sys
2010-04-06 19:45:04 83208 ----a-r- c:\windows\system32\drivers\s115bus.sys
2010-04-06 19:45:04 12424 ----a-r- c:\windows\system32\drivers\s115whnt.sys
2010-04-06 19:45:04 12424 ----a-r- c:\windows\system32\drivers\s115wh.sys
2010-04-06 19:42:37 0 d-----w- c:\docume~1\john\applic~1\Sony Ericsson
2010-04-06 19:41:44 0 d-----w- c:\program files\common files\Sony Ericsson Shared
2010-04-06 19:41:42 0 d-----w- c:\program files\common files\Teleca Shared
2010-04-06 19:41:36 0 d-----w- c:\program files\Sony Ericsson
2010-04-06 19:39:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Teleca
2010-04-06 19:39:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Ericsson

==================== Find3M ====================

2010-03-19 17:05:50 4874240 ----a-w- c:\windows\system32\dllcache\wmp.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-24 09:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 08:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 09:03:04 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33:12 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:12 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:16 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2007-11-17 10:59:22 2105544 ----a-w- c:\program files\Program Files.rar

============= FINISH: 16:05:22.17 ===============

Attached Files


Edited by jdcrichton, 04 May 2010 - 02:41 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 05 May 2010 - 12:21 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 May 2010 - 08:44 AM

OTL will not open.

Receive error message 'OTL has encountered a problem and needs to close' seconds after I try to open it. I obviously then get an option to send an error report....


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 06 May 2010 - 11:46 AM

Ok then let's try something else.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 May 2010 - 02:25 PM

ComboFix 10-05-05.0D - John 06/05/2010 20:01:03.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.105 [GMT 1:00]
Running from: c:\documents and settings\John\My Documents\Downloads\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\John\LOCALS~1\Temp\csrss.exe
c:\docume~1\John\LOCALS~1\Temp\lsass.exe
c:\docume~1\John\LOCALS~1\Temp\svchost.exe
c:\docume~1\John\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\John\Local Settings\Application Data\iovcrwtbo
c:\documents and settings\John\Local Settings\Application Data\iovcrwtbo\wuncnsktssd.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\00E11E04.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\windows\system32\driVERs\saartf.sys
c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe
c:\windows\Uninstall.ini
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_saartf
-------\Service_saartf


((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-03 22:56 . 2010-05-03 22:56 0 ----a-w- c:\windows\nsreg.dat
2010-05-03 22:42 . 2010-05-03 22:42 -------- d-sh--w- c:\documents and settings\John\IECompatCache
2010-05-03 14:15 . 2010-05-03 14:15 -------- d-----w- C:\FOUND.002
2010-05-02 16:33 . 2010-05-02 16:33 -------- d-----w- c:\documents and settings\Carrie\Application Data\TuneUpMedia
2010-05-01 18:37 . 2010-02-27 02:23 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-05-01 18:37 . 2010-02-04 01:40 362032 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-01 18:37 . 2010-02-04 01:40 172592 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-05-01 18:37 . 2009-11-05 22:06 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-05-01 18:37 . 2010-02-27 02:23 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-05-01 18:37 . 2010-02-25 23:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-01 13:22 . 2010-05-01 13:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-01 13:22 . 2010-05-01 13:22 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-01 13:21 . 2010-05-01 13:21 -------- d-----w- c:\windows\system32\drivers\NAV
2010-05-01 13:21 . 2010-05-01 13:21 -------- d-----w- c:\program files\Windows Sidebar
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\program files\Norton AntiVirus
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\program files\NortonInstaller
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-01 12:53 . 2010-05-01 12:53 -------- d-----w- C:\FOUND.001
2010-05-01 10:27 . 2010-05-01 10:27 -------- d-sh--w- c:\documents and settings\Carrie\PrivacIE
2010-05-01 01:33 . 2010-05-01 01:33 350 ----a-w- c:\windows\system32\drivers\woueuhoe.dat
2010-04-30 21:57 . 2010-04-30 21:57 -------- d-----w- c:\program files\Trend Micro
2010-04-30 21:33 . 2010-04-30 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-30 19:59 . 2010-04-30 19:59 -------- d-sh--w- c:\documents and settings\John\PrivacIE
2010-04-30 19:56 . 2010-04-30 19:56 -------- d-----w- C:\spoolerlogs
2010-04-30 19:54 . 2010-04-30 19:53 107520 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00003941.dll
2010-04-26 23:18 . 2010-04-26 23:18 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Conduit
2010-04-26 16:52 . 2010-04-26 16:52 -------- d-----w- c:\documents and settings\John\Application Data\Apple Computer
2010-04-26 13:29 . 2010-04-26 13:29 -------- d-----w- c:\program files\TuneUpMedia
2010-04-26 13:29 . 2010-04-26 13:29 -------- d-----w- c:\documents and settings\John\Application Data\TuneUpMedia
2010-04-26 13:29 . 2010-04-26 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-04-24 14:33 . 2010-04-24 14:33 -------- d-----w- c:\documents and settings\John\Application Data\Azureus
2010-04-23 15:00 . 2010-04-23 15:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-04-18 11:33 . 2010-04-18 11:33 -------- d-----w- c:\documents and settings\Carrie\Application Data\Teleca
2010-04-18 11:32 . 2010-04-18 11:32 -------- d-----w- c:\documents and settings\Carrie\Application Data\Sony Ericsson
2010-04-18 11:32 . 2010-04-18 11:32 -------- d-----w- c:\documents and settings\Carrie\Application Data\Trusteer
2010-04-07 20:01 . 2010-04-07 20:01 -------- d-----w- c:\program files\MSXML 4.0
2010-04-07 01:23 . 2010-04-07 01:23 -------- d-----w- c:\documents and settings\John\Application Data\Trusteer
2010-04-07 01:22 . 2010-04-07 01:22 -------- d-----w- c:\program files\Trusteer
2010-04-07 01:19 . 2010-04-07 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-06 23:36 . 2010-04-06 23:36 -------- d-----w- c:\documents and settings\John\Application Data\AdobeUM
2010-04-06 23:35 . 2010-04-06 23:35 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Adobe
2010-04-06 19:49 . 2010-04-06 19:49 -------- d-----w- c:\documents and settings\John\Application Data\CyberLink
2010-04-06 19:45 . 2010-04-06 19:45 -------- d-----w- c:\documents and settings\John\Application Data\Teleca
2010-04-06 19:45 . 2007-04-23 14:54 100488 ----a-r- c:\windows\system32\drivers\s115mgmt.sys
2010-04-06 19:45 . 2007-04-23 14:54 98568 ----a-r- c:\windows\system32\drivers\s115obex.sys
2010-04-06 19:45 . 2007-04-23 14:54 15112 ----a-r- c:\windows\system32\drivers\s115mdfl.sys
2010-04-06 19:45 . 2007-04-23 14:54 12424 ----a-r- c:\windows\system32\drivers\s115cmnt.sys
2010-04-06 19:45 . 2007-04-23 14:54 12424 ----a-r- c:\windows\system32\drivers\s115cm.sys
2010-04-06 19:45 . 2007-04-23 14:54 108680 ----a-r- c:\windows\system32\drivers\s115mdm.sys
2010-04-06 19:45 . 2007-04-23 14:54 12424 ----a-r- c:\windows\system32\drivers\s115whnt.sys
2010-04-06 19:45 . 2007-04-23 14:54 12424 ----a-r- c:\windows\system32\drivers\s115wh.sys
2010-04-06 19:45 . 2007-04-23 14:54 83208 ----a-r- c:\windows\system32\drivers\s115bus.sys
2010-04-06 19:42 . 2010-04-06 19:43 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Sony Ericsson
2010-04-06 19:42 . 2010-04-06 19:42 -------- d-----w- c:\documents and settings\John\Application Data\Sony Ericsson
2010-04-06 19:41 . 2010-04-06 19:41 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared
2010-04-06 19:41 . 2010-04-06 19:41 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-04-06 19:41 . 2010-04-06 19:41 -------- d-----w- c:\program files\Sony Ericsson
2010-04-06 19:39 . 2010-04-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-04-06 19:39 . 2010-04-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 19:11 . 2004-08-30 18:18 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-01 13:22 . 2010-05-01 13:22 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-01 13:22 . 2010-05-01 13:22 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-25 18:46 . 2010-03-25 18:46 -------- d-----w- c:\program files\Common Files\Apple
2010-03-25 18:45 . 2010-03-25 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 21:21 . 2010-03-23 21:21 84248 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-20 16:12 . 2005-07-14 11:35 84248 ----a-w- c:\documents and settings\Carrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 17:55 . 2010-03-19 17:55 -------- d-----w- c:\program files\Guitar Pro 5
2010-03-19 17:19 . 2010-03-19 17:19 -------- d-----w- c:\program files\WeFi
2010-03-19 17:18 . 2010-03-19 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-19 17:18 . 2010-03-19 17:18 -------- d-----w- c:\documents and settings\Carrie\Application Data\Azureus
2010-03-19 17:16 . 2010-03-19 17:15 -------- d-----w- c:\program files\Vuze
2010-03-19 17:15 . 2010-03-19 17:15 -------- d-----w- c:\program files\Conduit
2010-03-19 17:15 . 2010-03-19 17:15 -------- d-----w- c:\program files\Vuze_Remote
2010-03-18 23:41 . 2004-08-30 17:55 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-10 06:15 . 1979-12-31 23:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 16:55 . 2010-03-08 16:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-25 06:24 . 1979-12-31 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 1979-12-31 23:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 09:16 . 2010-02-09 13:25 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 08:10 . 1979-12-31 23:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 21:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 09:03 . 2010-02-24 15:20 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 1979-12-31 23:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 1979-12-31 23:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-11-17 10:59 . 2007-11-17 10:59 2105544 ----a-w- c:\program files\Program Files.rar
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2004-08-27 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-21 149280]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\WINDOWS\\System32\\SPOOLSV.EXE"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1106000.020\symds.sys [01/05/2010 19:37 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1106000.020\symefa.sys [01/05/2010 19:37 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [29/04/2010 18:44 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1106000.020\cchpx86.sys [01/05/2010 19:37 501888]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [23/03/2010 16:39 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [23/03/2010 16:39 125160]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 18:51 6784]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1106000.020\ironx86.sys [01/05/2010 19:37 116784]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccsvchst.exe [01/05/2010 19:37 126392]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [23/03/2010 16:39 779496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 18:51 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/05/2010 14:42 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100429.001\IDSXpx86.sys [03/05/2010 22:34 329592]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 18:51 16000]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 12:49 227232]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [06/04/2010 20:45 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [06/04/2010 20:45 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [06/04/2010 20:45 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [06/04/2010 20:45 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [06/04/2010 20:45 98568]
S3 WefiEngSvc;WeFi Engine Service;c:\program files\WeFi\WefiEngSvc.exe [16/03/2010 16:23 133976]
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-05-06 c:\windows\Tasks\WefiStartup.job
- c:\program files\WeFi\WefiStartup.exe [2010-03-16 15:23]

2010-05-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-EPSON Stylus Photo R300 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
HKLM-Run-EPSON Stylus Photo R300 Series (Copy 1) - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
AddRemove-ImageJ_is1 - f:\imagej\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 20:21
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6832)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\acer\eManager\anbmServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2010-05-06 20:23:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 19:23

Pre-Run: 3,155,820,544 bytes free
Post-Run: 3,588,636,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 79FDC2147AE98FB2EEEE68A5489F1BD7


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 06 May 2010 - 05:27 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
suspect::
c:\windows\system32\drivers\woueuhoe.dat
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\SPOOLSV.EXE"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then please post back here with the following logs:
  • Combofix.txt
  • MBAM log

Thanks

unite.jpg


#7 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 09 May 2010 - 04:52 PM

Apologies for late reply, I have been away and will follow next steps tomorrow when I return from work. Just thought Id let you know timelines since its been a few days since your eply.

Thanks
John

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 10 May 2010 - 09:05 AM

No problem thumbup2.gif

unite.jpg


#9 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 10 May 2010 - 03:14 PM

ComboFix 10-05-10.01 - John 10/05/2010 20:10:37.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.194 [GMT 1:00]
Running from: c:\documents and settings\John\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\John\My Documents\Downloads\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

file zipped: c:\windows\system32\drivers\woueuhoe.dat
.

((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-08 12:26 . 2010-05-08 12:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-05-03 23:25 . 2010-04-08 01:50 1496064 ----a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-05-03 23:25 . 2010-04-08 01:50 43008 ----a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-05-03 23:25 . 2010-04-08 01:50 338944 ----a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-05-03 23:25 . 2010-04-08 01:50 346112 ----a-w- c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-05-03 22:56 . 2010-05-03 22:56 0 ----a-w- c:\windows\nsreg.dat
2010-05-03 22:42 . 2010-05-03 22:42 -------- d-sh--w- c:\documents and settings\John\IECompatCache
2010-05-03 14:15 . 2010-05-03 14:15 -------- d-----w- C:\FOUND.002
2010-05-02 16:33 . 2010-05-02 16:33 -------- d-----w- c:\documents and settings\Carrie\Application Data\TuneUpMedia
2010-05-01 18:37 . 2010-02-27 02:23 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-05-01 18:37 . 2010-02-04 01:40 362032 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-01 18:37 . 2010-02-04 01:40 172592 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-05-01 18:37 . 2009-11-05 22:06 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-05-01 18:37 . 2010-02-27 02:23 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-05-01 18:37 . 2010-02-25 23:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-01 13:22 . 2010-05-01 13:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-01 13:22 . 2010-05-01 13:22 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-01 13:21 . 2010-05-01 13:21 -------- d-----w- c:\windows\system32\drivers\NAV
2010-05-01 13:21 . 2010-05-01 13:21 -------- d-----w- c:\program files\Windows Sidebar
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\program files\Norton AntiVirus
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\program files\NortonInstaller
2010-05-01 13:20 . 2010-05-01 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-01 12:53 . 2010-05-01 12:53 -------- d-----w- C:\FOUND.001
2010-05-01 10:27 . 2010-05-01 10:27 -------- d-sh--w- c:\documents and settings\Carrie\PrivacIE
2010-05-01 01:33 . 2010-05-01 01:33 350 ----a-w- c:\windows\system32\drivers\woueuhoe.dat
2010-05-01 01:21 . 2010-05-01 01:21 15849560 ----a-w- c:\documents and settings\John\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2010-04-30 21:57 . 2010-04-30 21:57 388096 ----a-r- c:\documents and settings\John\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-30 21:57 . 2010-04-30 21:57 -------- d-----w- c:\program files\Trend Micro
2010-04-30 21:33 . 2010-04-30 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-30 19:59 . 2010-04-30 19:59 -------- d-sh--w- c:\documents and settings\John\PrivacIE
2010-04-30 19:56 . 2010-04-30 19:56 -------- d-----w- C:\spoolerlogs
2010-04-26 23:18 . 2010-04-26 23:18 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Conduit
2010-04-26 16:52 . 2010-04-26 16:52 -------- d-----w- c:\documents and settings\John\Application Data\Apple Computer
2010-04-26 13:29 . 2010-04-26 13:29 -------- d-----w- c:\program files\TuneUpMedia
2010-04-26 13:29 . 2010-04-26 13:29 -------- d-----w- c:\documents and settings\John\Application Data\TuneUpMedia
2010-04-26 13:29 . 2010-04-26 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-04-24 14:33 . 2010-04-24 14:33 -------- d-----w- c:\documents and settings\John\Application Data\Azureus
2010-04-23 15:00 . 2010-04-23 15:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-04-18 11:33 . 2010-04-18 11:33 -------- d-----w- c:\documents and settings\Carrie\Application Data\Teleca
2010-04-18 11:32 . 2010-04-18 11:32 -------- d-----w- c:\documents and settings\Carrie\Application Data\Sony Ericsson
2010-04-18 11:32 . 2010-04-18 11:32 -------- d-----w- c:\documents and settings\Carrie\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-10 09:09 . 2004-08-30 18:18 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-06 09:36 . 2010-02-09 13:25 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-01 13:22 . 2010-05-01 13:22 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-01 13:22 . 2010-05-01 13:22 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-07 20:01 . 2010-04-07 20:01 -------- d-----w- c:\program files\MSXML 4.0
2010-04-07 01:23 . 2010-04-07 01:23 -------- d-----w- c:\documents and settings\John\Application Data\Trusteer
2010-04-07 01:22 . 2010-04-07 01:22 -------- d-----w- c:\program files\Trusteer
2010-04-07 01:19 . 2010-04-07 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-06 23:36 . 2010-04-06 23:36 -------- d-----w- c:\documents and settings\John\Application Data\AdobeUM
2010-04-06 19:49 . 2010-04-06 19:49 -------- d-----w- c:\documents and settings\John\Application Data\CyberLink
2010-04-06 19:45 . 2010-04-06 19:45 -------- d-----w- c:\documents and settings\John\Application Data\Teleca
2010-04-06 19:42 . 2010-04-06 19:42 -------- d-----w- c:\documents and settings\John\Application Data\Sony Ericsson
2010-04-06 19:41 . 2010-04-06 19:41 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared
2010-04-06 19:41 . 2010-04-06 19:41 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-04-06 19:41 . 2010-04-06 19:41 -------- d-----w- c:\program files\Sony Ericsson
2010-04-06 19:39 . 2010-04-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-04-06 19:39 . 2010-04-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2010-03-25 18:46 . 2010-03-25 18:46 -------- d-----w- c:\program files\Common Files\Apple
2010-03-25 18:45 . 2010-03-25 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-23 21:21 . 2010-03-23 21:21 84248 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-20 16:12 . 2005-07-14 11:35 84248 ----a-w- c:\documents and settings\Carrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 17:55 . 2010-03-19 17:55 -------- d-----w- c:\program files\Guitar Pro 5
2010-03-19 17:19 . 2010-03-19 17:19 -------- d-----w- c:\program files\WeFi
2010-03-19 17:18 . 2010-03-19 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-19 17:18 . 2010-03-19 17:18 -------- d-----w- c:\documents and settings\Carrie\Application Data\Azureus
2010-03-19 17:16 . 2010-03-19 17:15 -------- d-----w- c:\program files\Vuze
2010-03-19 17:15 . 2010-03-19 17:15 52224 ----a-w- c:\documents and settings\Carrie\Application Data\Mozilla\Firefox\Profiles\ol207li4.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
2010-03-19 17:15 . 2010-03-19 17:15 101376 ----a-w- c:\documents and settings\Carrie\Application Data\Mozilla\Firefox\Profiles\ol207li4.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
2010-03-19 17:15 . 2010-03-19 17:15 -------- d-----w- c:\program files\Conduit
2010-03-19 17:15 . 2010-03-19 17:15 -------- d-----w- c:\program files\Vuze_Remote
2010-03-18 23:41 . 2004-08-30 17:55 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-10 06:15 . 1979-12-31 23:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 1979-12-31 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 1979-12-31 23:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10 . 1979-12-31 23:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 21:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 09:03 . 2010-02-24 15:20 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 1979-12-31 23:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 1979-12-31 23:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-11-17 10:59 . 2007-11-17 10:59 2105544 ----a-w- c:\program files\Program Files.rar
.

((((((((((((((((((((((((((((( SnapShot@2010-05-06_19.14.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-10 17:48 . 2010-05-10 17:48 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
+ 2010-05-10 17:49 . 2010-05-10 17:49 16384 c:\windows\Temp\Perflib_Perfdata_148.dat
+ 2004-08-31 09:50 . 2010-05-09 14:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-31 09:50 . 2010-03-19 08:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-31 09:50 . 2010-05-09 14:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-31 09:50 . 2010-03-19 08:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-09 13:41 . 2010-05-09 14:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-31 09:50 . 2010-03-19 08:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-09 2355224]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch.exe" [2004-06-08 499712]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2004-08-27 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-21 149280]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1106000.020\symds.sys [01/05/2010 19:37 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1106000.020\symefa.sys [01/05/2010 19:37 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [29/04/2010 18:44 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1106000.020\cchpx86.sys [01/05/2010 19:37 501888]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [23/03/2010 16:39 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [23/03/2010 16:39 125160]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 18:51 6784]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1106000.020\ironx86.sys [01/05/2010 19:37 116784]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccsvchst.exe [01/05/2010 19:37 126392]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [23/03/2010 16:39 779496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 18:51 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/05/2010 14:42 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [07/05/2010 22:16 329592]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 18:51 16000]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 12:49 227232]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [06/04/2010 20:45 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [06/04/2010 20:45 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [06/04/2010 20:45 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [06/04/2010 20:45 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [06/04/2010 20:45 98568]
S3 WefiEngSvc;WeFi Engine Service;c:\program files\WeFi\WefiEngSvc.exe [16/03/2010 16:23 133976]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-05-10 c:\windows\Tasks\WefiStartup.job
- c:\program files\WeFi\WefiStartup.exe [2010-03-16 15:23]

2010-05-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\
FF - prefs.js: browser.startup.homepage - bbc.co.uk
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 20:18
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(12752)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
.
Completion time: 2010-05-10 20:21:44
ComboFix-quarantined-files.txt 2010-05-10 19:21
ComboFix2.txt 2010-05-06 19:24

Pre-Run: 3,495,428,096 bytes free
Post-Run: 3,467,132,928 bytes free

- - End Of File - - 24C39042565CF32E93522D6223BA3A79
Upload was successful





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4086

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/05/2010 20:33:34
mbam-log-2010-05-10 (20-33-34).txt

Scan type: Quick scan
Objects scanned: 137105
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 11 May 2010 - 09:39 AM

That's looking better, can you tell me how the computer is running now and if you have any more problems?

You have Viewpoint installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • ESET report
  • New DDS log

Thanks

unite.jpg


#11 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 12 May 2010 - 04:28 PM

..... Which program is it that creates a DDS report?

I have so many new tools downloaded I'm not sure which one I used first sorry. Is it called GMER?
The original thread was removed so I couldn't check which program Orange Blossom sked me to download first.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 12 May 2010 - 08:18 PM

The program is DDS, it can be downloaded from here.

unite.jpg


#13 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 16 May 2010 - 05:43 PM

There is no option to uninstall Viewpoint from Add/Remove programs. There are viewpoint files and viewpoint player located in C://Program Files. Should I delete these??

The laptop is running better. Firefox is still having problems but Im not sure if thats just Google toolbar causing unresponsive scripts but it happens quite a lot and it has something to do with chrome on the tooldbar i think.

The laptop has shutdown for no reason a couple of times and my brother went and installed Championship manager on here yesterday (which i hope hasnt caused any problems) and says its running slow and freezes.

Other than that its generally OK, not rootkit problems by the looks of things. Not that I know what they are but when I was told I had root kit problems, the symptoms that were present are no longer.

I also have files FOUND.001, FOUND.002 all the way up to FOUND.026 in c: which I dont know what they are.

ESET report follows below......


C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\17\7ab02891-585df109 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-349c3320 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-79efe493 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined







DDS (Ver_10-03-17.01) - FAT32x86
Run by John at 23:32:22.52 on 16/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [PCMService] "c:\program files\arcade\PCMService.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE
mRun: [SpeedTouch USB Diagnostics] "c:\program files\alcatel\speedtouch usb\Dragdiag.exe" /icon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\kpxbxm8n.default\
FF - prefs.js: browser.startup.homepage - bbc.co.uk
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\kpxbxm8n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R? McComponentHostService;McAfee Security Scan Component Host Service
R? s115bus;Sony Ericsson Device 115 driver (WDM)
R? s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter
R? s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver
R? s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
R? s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface
R? WefiEngSvc;WeFi Engine Service
S? BHDrvx86;BHDrvx86
S? ccHP;Symantec Hash Provider
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? IDSxpx86;IDSxpx86
S? NAV;Norton AntiVirus
S? NAVENG;NAVENG
S? NAVEX15;NAVEX15
S? RapportKELL;RapportKELL
S? RapportMgmtService;Rapport Management Service
S? RapportPG;RapportPG
S? SMBBATT;Microsoft Smart Battery Driver
S? SMBHC;Microsoft SM Bus Host Controller Driver
S? SymDS;Symantec Data Store
S? SymEFA;Symantec Extended File Attributes
S? SymIRON;Symantec Iron Driver
S? Viewpoint Manager Service;Viewpoint Manager Service
S? WinDefend;Windows Defender

=============== Created Last 30 ================

2010-05-15 00:27:51 0 d-----w- c:\program files\Championship Manager 01-02
2010-05-11 20:59:38 0 d-----w- c:\program files\ESET
2010-05-11 20:48:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-11 20:48:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 19:40:01 0 d-sh--w- C:\Recycled
2010-05-10 19:26:32 0 d-----w- c:\docume~1\john\applic~1\Malwarebytes
2010-05-10 19:26:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 19:26:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-10 19:26:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 19:26:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 18:37:16 0 d-sha-r- C:\cmdcons
2010-05-06 18:35:35 98816 ----a-w- c:\windows\sed.exe
2010-05-06 18:35:35 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 18:35:35 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 18:35:35 161792 ----a-w- c:\windows\SWREG.exe
2010-05-03 22:42:04 0 d-sh--w- c:\documents and settings\john\IECompatCache
2010-05-03 14:56:13 0 ----a-w- c:\documents and settings\john\defogger_reenable
2010-05-03 14:15:34 0 d-----w- C:\FOUND.002
2010-05-01 18:37:25 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-05-01 18:37:25 362032 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-01 18:37:25 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-05-01 18:37:25 172592 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-05-01 18:37:24 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-01 18:37:24 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-05-01 13:22:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-01 13:22:51 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-01 13:22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-01 13:22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-01 13:21:01 0 d-----w- c:\windows\system32\drivers\NAV
2010-05-01 13:20:55 0 d-----w- c:\program files\Norton AntiVirus
2010-05-01 13:20:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-05-01 13:20:13 0 d-----w- c:\program files\NortonInstaller
2010-05-01 13:20:13 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-05-01 12:53:08 0 d-----w- C:\FOUND.001
2010-05-01 01:33:52 350 ----a-w- c:\windows\system32\drivers\woueuhoe.dat
2010-04-30 21:57:20 0 d-----w- c:\program files\Trend Micro
2010-04-30 21:47:06 0 d-----w- c:\windows\pss
2010-04-30 19:59:19 0 d-sh--w- c:\documents and settings\john\PrivacIE
2010-04-30 19:56:11 0 d-----w- C:\spoolerlogs
2010-04-26 13:29:49 0 d-----w- c:\program files\TuneUpMedia
2010-04-26 13:29:42 0 d-----w- c:\docume~1\john\applic~1\TuneUpMedia
2010-04-26 13:29:32 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2010-04-24 14:33:20 0 d-----w- c:\docume~1\john\applic~1\Azureus

==================== Find3M ====================

2010-05-06 09:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-19 17:05:50 4874240 ----a-w- c:\windows\system32\dllcache\wmp.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 08:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2007-11-17 10:59:22 2105544 ----a-w- c:\program files\Program Files.rar

============= FINISH: 23:33:32.38 ===============










Attached Files



#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:36 PM

Posted 17 May 2010 - 11:16 AM

QUOTE
There is no option to uninstall Viewpoint from Add/Remove programs. There are viewpoint files and viewpoint player located in C://Program Files. Should I delete these??


Yes you can just delete any traces of viewpoint you find.

QUOTE
I also have files FOUND.001, FOUND.002 all the way up to FOUND.026 in c: which I don't know what they are.


These files are from when you have run check disk and it has been unable to recover some files or folders, they
then get stored in these, this could be a sign that your drive is starting to fail and would explain why you are
still having other issues, I would back up any important data and consider getting a new hard drive if chkdsk
keeps finding errors.

Your logs look ok to me now.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):


Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremely important to keep windows up to date with the latest service pack and patches. This will
prevent you from getting the malware which uses vulnerabilities found in windows to exploit your computer.
The easiest way to do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you
do not update your antivirus software then it will not be able to catch any of the new variants that may come
out. If you use a commercial antivirus program you must make sure you keep renewing your subscription.
Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure all programs are updated
It is also possible for other programs on your computer to have security vulnerability that can allow malware
to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed
applications that are regularly patched to fix vulnerabilities. You can check these by visiting
Calendar of Updates or you can install Secunia PSI.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall
your computer is susceptible to being hacked and taken over. Windows firewall is good for blocking inbound
connections but it does not block outbound connections. So if Malware manages to get onto your computer it
will be able to send data out when it wants. Here are some free firewalls, you only need to install one of these.

Zone Alarm
Outpost
PC Tools

After you install the third party firewall disable your Windows firewall. Go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install Sanboxie
Sandboxie is a great program to help protect you against malware, working inside Sandboxie will basically
mean that, what you are doing will not make a permenant changes to your system, unless you allow it too.
So you can be surfing the web inside Sandboxie then if you happen to stumble upon a bad site and get
infected, you can simply delete the Sanbox and all is gone. Having said that, it can not be considered 100%
secure as no program can be, but it can be a great help and is an excellent program. You can find a download
link and more information about the program here.

Secure your browsing
Firefox is generally considered to be a lot safer that Internet Explorer, I would recommend that you install
Firefox and install some addons that will make the browser even safer. You can download the latest version
of Firefox here, if you already have firefox these are some good addons.

Recommended addons
NoScript
Adblock Plus
WOT

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs. You can find a tutorial and download link here.

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions here.


Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#15 jdcrichton

jdcrichton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 17 May 2010 - 12:28 PM

Fantastic! Thanks very much indeed!

I think a new machine is in order never mind a new hard drive. Its not even my laptop, Im still trying to find an XP disk to fix mine and using my girlfriends old one in the meantime - they are both 2005 XP models so getting on quite a bit now!!!

Thanks so much for your help, this place is brilliant!

Is there anyway to donate to bleepingcomputer? Is the link in your sig to donate to UNITE?

Regards,
John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users