Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Win32 infection (as smss.exe & services.exe)


  • This topic is locked This topic is locked
11 replies to this topic

#1 trojanpie

trojanpie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 01 December 2010 - 10:48 PM

I've been infected with 2 trojan since i downloaded and ran an unreliable software half a year ago. I didn't know what to do after that and had run numerous scans every time I start the computer. These trojan have hidden themselves in the System Volume Information as services.exe and smss.exe which is impossible to terminate through windows task manager. I noticed that my computer performance has decreased, and the sound keeps "jumping", which is muted even though I did not make any changes. Can you guys please help me and guide me to deal with these trojans? I'm so tired of re-installing anti-viruses and downloading other softwares already. :o




1. DDS.txt
DDS (Ver_10-11-27.01) - NTFSx86
Run by user at 11:12:01.10 on 12/01/2010 Wed
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1013.215 [GMT 8:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WL230USB Wireless B+G Utility\WLANUTL.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WLANUTL.exe] c:\program files\wl230usb wireless b+g utility\WLANUTL.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\m9iiyg15.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-17 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-17 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 WL230_XP;Aztech 802.11g WL230 1211B Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2010-3-3 437760]
R4 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2010-3-3 19072]

=============== Created Last 30 ================

2010-11-13 10:50:38 -------- d-----w- C:\Bejeweled Blitz
2010-11-13 10:49:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games
2010-11-11 20:18:41 -------- d-sh--w- c:\documents and settings\user\IECompatCache

==================== Find3M ====================

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 04:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spaq.sys >>UNKNOWN [0x86DC5938]<<
spaq.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff9729d9b; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86CD9AB8]
3 CLASSPNP[0xF752EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x86D2BF18]
5 ACPI[0xF72B0620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-5[0x86CDBD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; NOP ; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x620; }
user != kernel MBR !!!

============= FINISH: 11:15:21.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 09 December 2010 - 10:01 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 trojanpie

trojanpie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 15 December 2010 - 03:25 AM

Thank you very much for your attention, and I apologize for my slow reply too. :lol: But here are the new info that you need. Hope it's useful.

1.DDS
DDS (Ver_10-12-12.02) - NTFSx86
Run by user at 21:10:24.32 on 12/14/2010 Tue
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1013.525 [GMT 8:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WL230USB Wireless B+G Utility\WLANUTL.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\My Documents\Downloads\dds(2).scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WLANUTL.exe] c:\program files\wl230usb wireless b+g utility\WLANUTL.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\m9iiyg15.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-17 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-17 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2010-3-3 19072]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 WL230_XP;Aztech 802.11g WL230 1211B Driver;c:\windows\system32\drivers\WlanUZXP.SYS [2010-3-3 437760]

=============== Created Last 30 ================

2010-12-14 12:59:47 -------- d-----w- c:\windows\system32\%programfiles%

==================== Find3M ====================

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 04:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sphp.sys >>UNKNOWN [0x86DC5938]<<
sphp.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff9729d9b; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86CEAAB8]
3 CLASSPNP[0xF752EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000061[0x86D21F18]
5 ACPI[0xF72B0620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-5[0x86CEED98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; NOP ; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x620; }
user != kernel MBR !!!

============= FINISH: 21:13:23.76 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 15 December 2010 - 01:56 PM

Hi trojanpie,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

  • Please tell me if you have Windows CD in case we needed it.
  • Please download MBRCheck by clicking here and save it to your desktop.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.


#5 trojanpie

trojanpie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 16 December 2010 - 09:08 AM

1. I don't think I have it. :huh: Is it essential?

2. MBRCheck Data
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 115):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF79EE000 \WINDOWS\system32\KDCOM.DLL
0xF78FE000 \WINDOWS\system32\BOOTVID.dll
0xF72F0000 spkb.sys
0xF79F0000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF72D8000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF72AA000 ACPI.sys
0xF7299000 pci.sys
0xF74EE000 isapnp.sys
0xF7AB6000 pciide.sys
0xF776E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74FE000 MountMgr.sys
0xF727A000 ftdisk.sys
0xF79F2000 dmload.sys
0xF7254000 dmio.sys
0xF7776000 PartMgr.sys
0xF750E000 VolSnap.sys
0xF723C000 atapi.sys
0xF751E000 disk.sys
0xF752E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF721C000 fltMgr.sys
0xF720A000 sr.sys
0xF753E000 PxHelp20.sys
0xF71F3000 KSecDD.sys
0xF7166000 Ntfs.sys
0xF7139000 NDIS.sys
0xF711F000 Mup.sys
0xF76BE000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6B2E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6B1A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6AF2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6ADB000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF783E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6AB7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7846000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6AA3000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76CE000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF784E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76DE000 \SystemRoot\system32\DRIVERS\serial.sys
0xF79D2000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF79D6000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xF7BBC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76EE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79DA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6A8C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76FE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF770E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7856000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A7B000 \SystemRoot\system32\DRIVERS\psched.sys
0xF771E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF785E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7866000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6A4B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF772E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF786E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A0C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6A28000 \SystemRoot\system32\DRIVERS\ks.sys
0xF69CA000 \SystemRoot\system32\DRIVERS\update.sys
0xF70F3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF775E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA363000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA33F000 \SystemRoot\system32\drivers\portcls.sys
0xF756E000 \SystemRoot\system32\drivers\drmk.sys
0xF758E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A10000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A12000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7ACD000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A14000 \SystemRoot\System32\Drivers\Beep.SYS
0xF788E000 \SystemRoot\System32\drivers\vga.sys
0xF7A16000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A18000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7896000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF789E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF79C6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA955C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9503000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF75BE000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA94B5000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA948D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF75CE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA946B000 \SystemRoot\System32\drivers\afd.sys
0xF75DE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9440000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA93D0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF760E000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9365000 \SystemRoot\system32\DRIVERS\WlanUZXP.sys
0xA933E000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF78BE000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xAA33B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF761E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF78C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAA337000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA313000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78DE000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BB4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xA92FA000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA9202000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9057000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA8DD2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A50000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA8C62000 \SystemRoot\system32\DRIVERS\srv.sys
0xF78D6000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA8905000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8AF2000 \SystemRoot\system32\drivers\sysaudio.sys
0xA8376000 \SystemRoot\System32\Drivers\HTTP.sys
0xF77FE000 \??\C:\WINDOWS\system32\ZDCNDIS5.sys
0xA802B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
840 C:\WINDOWS\system32\smss.exe
896 csrss.exe
920 C:\WINDOWS\system32\winlogon.exe
964 C:\WINDOWS\system32\services.exe
976 C:\WINDOWS\system32\lsass.exe
1136 C:\System Volume Information\Microsoft\services.exe
1156 C:\WINDOWS\system32\svchost.exe
1204 svchost.exe
1244 C:\WINDOWS\system32\svchost.exe
1368 svchost.exe
1404 svchost.exe
1728 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1740 C:\System Volume Information\Microsoft\smss.exe
668 C:\WINDOWS\system32\spoolsv.exe
740 svchost.exe
816 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
876 C:\Program Files\Java\jre6\bin\jqs.exe
1388 C:\WINDOWS\system32\svchost.exe
1536 alg.exe
2276 iexplore.exe
2572 iexplore.exe
3216 C:\WINDOWS\system32\WgaTray.exe
3320 C:\WINDOWS\explorer.exe
3756 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
3800 C:\WINDOWS\system32\ctfmon.exe
3812 C:\Program Files\WL230USB Wireless B+G Utility\WLANUTL.exe
3996 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2228 C:\Program Files\Mozilla Firefox\firefox.exe
1828 C:\Program Files\Mozilla Firefox\plugin-container.exe
3036 C:\Program Files\Internet Explorer\iexplore.exe
3532 C:\Program Files\Internet Explorer\iexplore.exe
676 C:\Documents and Settings\user\My Documents\Downloads\MBRCheck.exe
2624 C:\WINDOWS\system32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`69e61600 (NTFS)

PhysicalDrive0 Model Number: ST3160815AS, Rev: 4.AAB

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: EDF98C43E151E4C218A67A4D172BACF36FE25E4F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!



[Once again, thanks for the reply! :D )

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 16 December 2010 - 10:56 AM

Is it essential?

This is a MBR infection, in many cases the tools we have can't remove it. We try the tools first, in case needed we have another alternative.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#7 trojanpie

trojanpie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 16 December 2010 - 09:00 PM

1. My instructions are all conducted in mandarin, is this normal?
2. I downloaded and installed the Microsoft Windows Recovery Console only after the scan because I wasn't connected to the internet previously. Will this affect the results?


ComboFix.txt
ComboFix 10-12-16.02 - user 7/2010 Fri 9:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1013.696 [GMT 8:00]
执行位置: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

注意 - 这台电脑没有安装恢复控制台 !!
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\360SE
c:\documents and settings\user\Application Data\360SE\360SE.ini
c:\documents and settings\user\Application Data\360SE\data\backup\1.dat
c:\documents and settings\user\Application Data\360SE\data\backup\backup.ini
c:\documents and settings\user\Application Data\360SE\data\bookmarks.dat
c:\documents and settings\user\Application Data\360SE\data\history.dat
c:\documents and settings\user\Application Data\360SE\data\ico\ad.103092804.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\ad.mozzi.biz.ico
c:\documents and settings\user\Application Data\360SE\data\ico\ad.questmedianet.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\ad.seeknet2.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\verticalhorizonads.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\www.arcadelevels.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\www.ausfis.org.ico
c:\documents and settings\user\Application Data\360SE\data\ico\www.stopzilla.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\www.streetracekingz.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\www.wixawin.com.ico
c:\documents and settings\user\Application Data\360SE\data\ico\www.yadaying.com.ico
c:\documents and settings\user\Application Data\360SE\data\user.dat
c:\documents and settings\user\Application Data\360SE\extensions\ExtAddons\ExtStats.ini
c:\documents and settings\user\Application Data\360SE\extensions\ExtAddons\ExtStats.ini.cfg
c:\documents and settings\user\Application Data\360SE\extensions\ExtAddons\ganzhi.ini
c:\documents and settings\user\Application Data\360SE\extensions\ExtAddons\recommend.ini
c:\documents and settings\user\Application Data\360SE\extensions\ExtProxy\proxy.ini
c:\documents and settings\user\Application Data\360SE\extensions\Favorites\Log\20100616.log
c:\documents and settings\user\Application Data\360SE\extensions\Favorites\Log\20100617.log
c:\documents and settings\user\Application Data\360SE\extensions\Favorites\OnlineFav.ini
c:\documents and settings\user\Application Data\360SE\extensions\SafeCentral\SafeCentral.ini
c:\documents and settings\user\Application Data\360SE\extensions\SafeCentral\sc.ini
c:\documents and settings\user\Application Data\360SE\extensions\SafeCentral\urllib.dat
c:\documents and settings\user\Application Data\360SE\NowLogin.ini
c:\documents and settings\user\Application Data\360SE\stat.ini
C:\khq
c:\system volume information\Microsoft
c:\system volume information\Microsoft\services.exe
c:\system volume information\Microsoft\smss.exe
c:\windows\system32\config\systemprofile\Application Data\360SE
c:\windows\system32\config\systemprofile\Application Data\360SE\360SE.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\data\backup\1.dat
c:\windows\system32\config\systemprofile\Application Data\360SE\data\backup\backup.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\data\bookmarks.dat
c:\windows\system32\config\systemprofile\Application Data\360SE\data\history.dat
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\178.17.162.242.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\ad.questmedianet.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\ad.seeknet2.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\se.360.cn.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\verticalhorizonads.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\www.arcadelevels.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\www.eurotechmods.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\www.streetracekingz.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\ico\www.yadaying.com.ico
c:\windows\system32\config\systemprofile\Application Data\360SE\data\user.dat
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\ExtAddons\ExtStats.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\ExtAddons\ExtStats.ini.cfg
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\ExtAddons\ganzhi.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\ExtAddons\recommend.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\ExtProxy\proxy.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\Favorites\Log\20100616.log
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\Favorites\Log\20100617.log
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\Favorites\OnlineFav.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\SafeCentral\SafeCentral.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\SafeCentral\sc.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\SafeCentral\urllib.dat
c:\windows\system32\config\systemprofile\Application Data\360SE\extensions\temp\clickstat.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\NowLogin.ini
c:\windows\system32\config\systemprofile\Application Data\360SE\stat.ini
D:\khq

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( 2010-11-17 至 2010-12-17 的新的档案 )))))))))))))))))))))))))))))))
.

2010-12-15 12:45 . 2010-12-15 12:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJEPPEX
2010-12-14 12:59 . 2010-12-14 12:59 -------- d-----w- c:\windows\system32\%programfiles%

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-03-03 01:29 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 04:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLANUTL.exe"="c:\program files\WL230USB Wireless B+G Utility\WLANUTL.exe" [2007-06-04 630784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-10-19 232912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:294e411494aa

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2007-07-11 04:07 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 14:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 21:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 07:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-11 04:07 16132608 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
2006-11-26 18:30 97357 ----a-w- c:\program files\Ringz Studio\Storm Codec\StormSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"ImapiService"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\American McGee's Alice\\alice.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/4/2010 1:53 PM 716272]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/17/2010 3:22 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/17/2010 3:22 PM 17744]
R3 WL230_XP;Aztech 802.11g WL230 1211B Driver;c:\windows\system32\drivers\WlanUZXP.SYS [3/3/2010 11:06 PM 437760]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\m9iiyg15.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-17 09:45
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,61,5d,f7,c5,06,22,4a,af,be,6b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,61,5d,f7,c5,06,22,4a,af,be,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
完成时间: 2010-12-17 09:46:24
ComboFix-quarantined-files.txt 2010-12-17 01:46

Pre-Run: 94,761,840,640 bytes free
Post-Run: 94,991,282,176 bytes free

- - End Of File - - E7B1B1F9D8AEF0B8EAEF506EF6F638E9

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 17 December 2010 - 07:15 AM

1. My instructions are all conducted in mandarin, is this normal?

If you can read and follow it it doesn't matter. It is probably Regional Language option.

2. I downloaded and installed the Microsoft Windows Recovery Console only after the scan because I wasn't connected to the internet previously. Will this affect the results?

It could have, but in this case the infection is removed.

  • Please run MBRCheck once more and post the log.
  • Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#9 trojanpie

trojanpie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 18 December 2010 - 06:42 AM

1. MBRCheck
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 115):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF79EE000 \WINDOWS\system32\KDCOM.DLL
0xF78FE000 \WINDOWS\system32\BOOTVID.dll
0xF72F0000 sphf.sys
0xF79F0000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF72D8000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF72AA000 ACPI.sys
0xF7299000 pci.sys
0xF74EE000 isapnp.sys
0xF7AB6000 pciide.sys
0xF776E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74FE000 MountMgr.sys
0xF727A000 ftdisk.sys
0xF79F2000 dmload.sys
0xF7254000 dmio.sys
0xF7776000 PartMgr.sys
0xF750E000 VolSnap.sys
0xF723C000 atapi.sys
0xF751E000 disk.sys
0xF752E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF721C000 fltMgr.sys
0xF720A000 sr.sys
0xF753E000 PxHelp20.sys
0xF71F3000 KSecDD.sys
0xF7166000 Ntfs.sys
0xF7139000 NDIS.sys
0xF711F000 Mup.sys
0xF771E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6B2E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6B1A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6AF2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6ADB000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF7836000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6AB7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF783E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6AA3000 \SystemRoot\system32\DRIVERS\parport.sys
0xF772E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF784E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF773E000 \SystemRoot\system32\DRIVERS\serial.sys
0xF79D6000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF79DE000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xF7B4C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF774E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79E6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6A8C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF775E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF755E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF786E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A7B000 \SystemRoot\system32\DRIVERS\psched.sys
0xF756E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF788E000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6A4B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF757E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF789E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A1A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6A28000 \SystemRoot\system32\DRIVERS\ks.sys
0xF69CA000 \SystemRoot\system32\DRIVERS\update.sys
0xF70C2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF759E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA363000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA33F000 \SystemRoot\system32\drivers\portcls.sys
0xF75BE000 \SystemRoot\system32\drivers\drmk.sys
0xF75DE000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A2C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B9A000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A30000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78EE000 \SystemRoot\System32\drivers\vga.sys
0xF7A34000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A38000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7786000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77BE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF69C6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA2BC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA263000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF75FE000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAA215000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF760E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA14D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA12B000 \SystemRoot\System32\drivers\afd.sys
0xF761E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA100000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA090000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF764E000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA069000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF77E6000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA307000 \SystemRoot\System32\drivers\Dxapi.sys
0xF780E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C28000 \SystemRoot\System32\drivers\dxgthk.sys
0xAA2F7000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF769E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF785E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAA2EF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xA9FB6000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA9EC6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9D17000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA9ABA000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A1E000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA99C2000 \SystemRoot\system32\DRIVERS\srv.sys
0xF78A6000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA96DD000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA1E5000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9586000 \SystemRoot\System32\Drivers\HTTP.sys
0xF781E000 \??\C:\WINDOWS\system32\ZDCNDIS5.sys
0xA9197000 \SystemRoot\system32\DRIVERS\WlanUZXP.sys
0xA8F8B000 \??\C:\DOCUME~1\user\LOCALS~1\Temp\kwlcrkow.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):
0 System Idle Process
4 System
664 C:\WINDOWS\system32\smss.exe
892 csrss.exe
916 C:\WINDOWS\system32\winlogon.exe
960 C:\WINDOWS\system32\services.exe
972 C:\WINDOWS\system32\lsass.exe
1136 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1224 C:\WINDOWS\system32\svchost.exe
1344 svchost.exe
1436 svchost.exe
1756 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
288 C:\WINDOWS\system32\spoolsv.exe
456 svchost.exe
512 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
536 C:\Program Files\Java\jre6\bin\jqs.exe
600 C:\WINDOWS\system32\svchost.exe
1448 alg.exe
3128 C:\WINDOWS\system32\WgaTray.exe
3160 C:\WINDOWS\explorer.exe
3512 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
3540 C:\Program Files\WL230USB Wireless B+G Utility\WLANUTL.exe
3560 C:\WINDOWS\system32\ctfmon.exe
764 C:\WINDOWS\system32\svchost.exe
2704 C:\Program Files\Mozilla Firefox\firefox.exe
3332 C:\Documents and Settings\user\My Documents\Downloads\MBRCheck.exe
3116 C:\WINDOWS\system32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`69e61600 (NTFS)

PhysicalDrive0 Model Number: ST3160815AS, Rev: 4.AAB

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


2. MBAM log
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/18/2010 6:37:21 PM
mbam-log-2010-12-18 (18-37-21).txt

Scan type: Quick scan
Objects scanned: 137058
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Note: no malicious item was detected by MBAM

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 18 December 2010 - 06:50 AM

The MBR infection is definitely cured and everything looks good. :thumbup2:

  • Please update your Java to the latest version (version 6 update 23) as the old versions of Java have vulnerabilities malware can use to infect your computer.
  • It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.
  • You may delete any tool or log we used from your computer.

Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing trojanpie. :)

#11 trojanpie

trojanpie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 18 December 2010 - 10:55 AM

Wow! Thank you very much! I can't believe this problem that has been bugging me for the past few months can be handled by you so easily. :lmao: How can I ever repay you? A thousand thanks to you farbar. :chef:

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 18 December 2010 - 11:02 AM

You are most welcome trojanpie, glad I could help. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users