Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN HORSE AGENT_r.XJ


  • This topic is locked This topic is locked
8 replies to this topic

#1 GarrettF

GarrettF

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 01 May 2011 - 01:06 AM

Hello Guys,
First of all, let me thank all of you for the fantastic work you do for all of us. I spent 70 USD on 4/30 to get rid of this malware, and, as you will see, I've still got it, so, without you guys, I would be trying to afford another laptop right now.
This virus is one of the worst I've ever dealt with, because it shows itself in so many places, e.g., it would not allow me to post this message in the forum (it would crash my internet connection each time I tried to upload this very post). I'm going to post a screenshot of what AVG found when it performed a full scan of my C:\ and I think you will know what to do once you see that. I will also send you my DDS.txt file, the Attach.txt file, and the Ark.txt file. If there is anything else you need, please feel free to call me at my office (972/986-5025) or on my cell (214/641-0735). And thanks again!

Regards,
GL Fournerat

--------------------

Attached File  20110430-190246.jpg   109.33KB   4 downloads

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 19:34:33.51 on Sat 04/30/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.481 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mediachase\Screen Capture\ScreenCapture.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ivao.aero\fr
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261620939076
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1275804758371
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = :\windows\syste
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\1gs89ysg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {D97DC4EF-376C-4EDF-8A90-38D186D47924} - c:\documents and settings\user\local settings\application data\{D97DC4EF-376C-4EDF-8A90-38D186D47924}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S1 MpKsl5bec2195;MpKsl5bec2195;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33806ad2-aea9-4c0f-b4bf-db659b891b65}\mpksl5bec2195.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33806ad2-aea9-4c0f-b4bf-db659b891b65}\MpKsl5bec2195.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctndis.sys --> c:\windows\system32\drivers\pctNdis.sys [?]
.
=============== Created Last 30 ================
.
2011-04-22 18:25:19 -------- d--h--w- C:\$AVG
2011-04-22 18:17:07 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2011-04-22 18:13:08 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-22 18:09:35 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-22 18:09:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-04-22 17:48:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-21 20:47:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-20 11:32:21 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-20 11:32:21 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 11:29:53 -------- d-----w- c:\program files\AIM
2011-04-20 11:29:50 -------- d-----w- c:\docume~1\user\locals~1\applic~1\AIM
2011-04-20 11:29:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM
2011-04-20 11:29:40 -------- d-----w- c:\program files\FS2004SDK
2011-04-20 11:28:16 -------- d-----w- c:\program files\common files\Software Update Utility
2011-04-20 11:28:06 -------- d-----w- c:\program files\Sprint
2011-04-15 07:31:13 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-04-15 07:30:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
.
==================== Find3M ====================
.
2011-04-21 19:15:26 0 ----a-w- c:\windows\Qtiyec.bin
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WLS rev.MA2 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A612439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6187d0]; MOV EAX, [0x8a61884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A633AB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000007a[0x8A6DC788]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A6BC940]
\Driver\atapi[0x8A6752D8] -> IRP_MJ_CREATE -> 0x8A612439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWLS_____________________________________MA2OA7MA#5&34ee0a3c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A61227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:38:00.68 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/20/2009 8:10:48 PM
System Uptime: 4/30/2011 4:20:20 PM (3 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel® Pentium® M processor 1.60GHz | mFCPGA | 1595/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 37 GiB total, 5.35 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP604: 3/19/2011 3:58:07 AM - Software Distribution Service 3.0
RP605: 3/20/2011 1:54:36 AM - Software Distribution Service 3.0
RP606: 3/21/2011 2:06:59 AM - System Checkpoint
RP607: 3/21/2011 3:58:06 AM - Software Distribution Service 3.0
RP608: 3/22/2011 3:58:18 AM - Software Distribution Service 3.0
RP609: 3/23/2011 5:18:58 AM - System Checkpoint
RP610: 3/24/2011 8:44:27 AM - System Checkpoint
RP611: 3/25/2011 6:14:24 PM - System Checkpoint
RP612: 3/25/2011 11:47:31 PM - Software Distribution Service 3.0
RP613: 3/26/2011 8:31:28 AM - Software Distribution Service 3.0
RP614: 3/27/2011 9:11:46 AM - System Checkpoint
RP615: 3/28/2011 4:20:20 PM - Software Distribution Service 3.0
RP616: 3/29/2011 4:15:13 PM - Software Distribution Service 3.0
RP617: 3/30/2011 11:13:16 PM - System Checkpoint
RP618: 3/31/2011 1:53:15 AM - Software Distribution Service 3.0
RP619: 4/1/2011 3:39:10 PM - Software Distribution Service 3.0
RP620: 4/2/2011 3:51:16 PM - System Checkpoint
RP621: 4/3/2011 1:47:18 AM - Software Distribution Service 3.0
RP622: 4/4/2011 6:01:53 PM - Software Distribution Service 3.0
RP623: 4/5/2011 8:46:26 PM - System Checkpoint
RP624: 4/6/2011 1:56:05 AM - Software Distribution Service 3.0
RP625: 4/7/2011 2:04:44 AM - System Checkpoint
RP626: 4/7/2011 4:31:29 PM - Software Distribution Service 3.0
RP627: 4/8/2011 10:54:01 PM - System Checkpoint
RP628: 4/9/2011 4:20:36 AM - Software Distribution Service 3.0
RP629: 4/10/2011 1:58:52 AM - Software Distribution Service 3.0
RP630: 4/11/2011 9:16:54 AM - Software Distribution Service 3.0
RP631: 4/12/2011 5:04:44 PM - Software Distribution Service 3.0
RP632: 4/16/2011 1:18:52 PM - Removed Apple Application Support
RP633: 4/16/2011 1:20:08 PM - Removed Apple Software Update
RP634: 4/16/2011 1:23:38 PM - Removed ATC Voicepack SDK
RP635: 4/16/2011 1:33:20 PM - Removed Sprint PCS Connection Manager
RP636: 4/20/2011 6:26:57 AM - Restore Operation
RP637: 4/22/2011 1:07:22 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP638: 4/22/2011 1:08:04 PM - Installed AVG 2011
RP639: 4/22/2011 1:09:01 PM - Installed AVG 2011
.
==== Installed Programs ======================
.
.
7-Zip 9.20
737 Pilot in Command
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.3
Adobe Shockwave Player 11.5
AFG Pilatus PC-12, Executive Version
AIM 7
Air France Virtual 707 (FS2004)
Air France Virtual A320 (FS2004)
Air France Virtual A330 (FS2004)
Aircraft Container SDK
Apple Application Support
Apple Software Update
ATC Voicepack SDK
Atheros Wireless LAN MiniPCI/PCIe card Driver
AVG 2011
Aviation Franšais Virtuel A340 (FS2004)
Beechcraft F90 release 1.5
Canon Easy-WebPrint EX
Canon i350
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MX340 series MP Drivers
Canon MX340 series User Registration
CCScore
Delta Virtual Airlines 727 (FS2004)
Delta Virtual Airlines 737 (FS2004)
Delta Virtual Airlines 737NG (FS2004)
Delta Virtual Airlines 767 (FS2004)
Delta Virtual Airlines 777 (FS2004)
Delta Virtual Airlines A310 (FS2004)
Delta Virtual Airlines DC-6 (FS2004)
Delta Virtual Airlines DC-7 (FS2004)
Delta Virtual Airlines DC-9 (FS2004)
Delta Virtual Airlines EMB-120 (FS2004)
Delta Virtual Airlines ERJ (FS2004)
Delta Virtual Airlines L-1011 (FS2004)
Delta Virtual Airlines MD-11 (FS2004)
Delta Virtual Airlines MD-88 (FS2004)
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Download Updater (AOL LLC)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSTOOLS
essvatgt
Flight Simulator 2004 Panels SDK
FSacars
FSBuild 2.2
FSD T38 Talon
FSDZigns Lockheed 049A Constellation
FSEdit SDK
FSFDT FSCopilot
FSFDT FSInn
FSNavigator
Google Earth Plug-in
Google Talk Plugin
Google Update Helper
Historical Repaint Expansion
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel® Graphics Media Accelerator Driver
IrfanView (remove only)
IvAe v0.8.2 Textures
IvAp v1.4.2 b2411
Jasc Paint Shop Pro 9
Java Auto Updater
Java™ 6 Update 23
Korean Fonts Support For Adobe Reader 9
Mediachase Screen Capture
Messerschmitt Bf-109F 4 for FS2004
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Miro
Mozilla Firefox (3.6.16)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
netbrdg
NTI DVD-Maker
NTI DVD-Maker Gold
OfotoXMI
PANTECH PC Card Software
PowerDVD
QuickTime
Realtek AC'97 Audio
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923789)
Segoe UI
SFR
SHASTA
skin0001
SKINXSDK
Sprint PCS Connection Manager
staticcr
Stearman and Eagle Field Scenery for FS2004
TeamSpeak 2 RC2
Texas Instruments PCIxx21/x515 drivers.
The Extractor
TIxx21/x515
TOSHIBA Software Modem
TOSHIBA Virtual Sound
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2508979)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
VAT-Spy
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.4
VPRINTOL
vroute.info
WebFldrs XP
WestWind A300
WestWind Airbus 340-200 & 300 by Project OpenSky
WestWind B707-320
WestWind B777-200LR by Project Opensky
WestWind Beechcraft Baron Repaint
WestWind Boeing 717-200
WestWind Cargo L188
WestWind Dash 3 Otter
WestWind DHC6 Twin Otter
WestWind FSDZigns L049a Connie
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WIRELESS
XAcars for Microsoft Flightsimulator
.
==== Event Viewer Messages From Past Week ========
.
4/30/2011 5:02:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wuauserv service.
4/30/2011 5:02:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
4/30/2011 5:02:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.
4/30/2011 5:02:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
4/30/2011 5:02:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RasMan service.
4/30/2011 3:28:45 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0012F0B5772F has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/30/2011 3:19:11 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0012F0B5772F has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
4/30/2011 12:39:21 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
4/30/2011 11:01:53 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/30/2011 11:01:53 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================


GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-30 21:46:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WLS rev.MA2
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\afacyfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA2023738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA20237DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA2023878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA2023914]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\user\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B15 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD16D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[216] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E53B0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[408] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0153000A
.text C:\WINDOWS\Explorer.EXE[408] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0154000A
.text C:\WINDOWS\Explorer.EXE[408] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0152000C
.text C:\WINDOWS\system32\SearchIndexer.exe[2208] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[3244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A9000A
.text C:\WINDOWS\System32\svchost.exe[3244] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AA000A
.text C:\WINDOWS\System32\svchost.exe[3244] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A8000C
.text C:\WINDOWS\System32\svchost.exe[3244] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01E9000A
.text C:\WINDOWS\System32\svchost.exe[3244] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3452] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A61227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A61227F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-e 8A61227F

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWLS_____________________________________MA2OA7MA#5&34ee0a3c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:52 PM

Posted 03 May 2011 - 04:02 AM

:welcome: to BC!

I spent 70 USD on 4/30 to get rid of this malware

No need to do that as there are plenty of free help to get on the forum.

I need you to run a couple of other scans to begin with.
Let me know if anything I post isn't understandable.

Step 1.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the Scan - button to start scan

Posted Image

On completion of the scan click Save log - button and save it to your desktop and post in your next reply


Step 2.
MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 3.
Things I would like to see in your reply:

  • The content of the log from aswMBR in step 1.
  • The content of the log from MBRCheck in step 2.

Edited by heir, 03 May 2011 - 04:06 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 GarrettF

GarrettF
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 04 May 2011 - 07:25 AM

here's aswMBR.txt

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-04 06:23:26
-----------------------------
06:23:26.440 OS Version: Windows 5.1.2600 Service Pack 3
06:23:26.440 Number of processors: 1 586 0xD08
06:23:26.440 ComputerName: USER-605BDFAFAA UserName: user
06:23:36.424 Initialize success
06:23:43.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
06:23:43.635 Disk 0 Vendor: WLS MA2 Size: 38154MB BusType: 3
06:23:43.635 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWLS_____________________________________MA2OA7MA#5&34ee0a3c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
06:23:43.645 Device \Driver\atapi -> DriverStartIo 8a61227f
06:23:43.645 Disk 0 MBR read successfully
06:23:43.645 Disk 0 MBR scan
06:23:43.645 Disk 0 TDL4@MBR code has been found
06:23:43.645 Disk 0 Windows XP default MBR code found via API
06:23:43.645 Disk 0 MBR hidden
06:23:43.645 Disk 0 MBR [TDL4] **ROOTKIT**
06:23:43.645 Disk 0 trace - called modules:
06:23:43.645 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a612439]<<
06:23:43.655 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a633ab8]
06:23:43.655 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000007a[0x8a6dc788]
06:23:43.655 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8a6bc940]
06:23:43.655 \Driver\atapi[0x8a6752d8] -> IRP_MJ_CREATE -> 0x8a612439
06:23:43.655 Scan finished successfully
06:24:02.962 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
06:24:02.962 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

--------------------------------------------end of aswMBR.txt---------------------------------------------

here's MBRcheck.txt

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x8A69C000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 PCIIde.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7627000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF78A7000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF74A2000 atapi.sys
0xF7647000 disk.sys
0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7482000 fltmgr.sys
0xF7470000 sr.sys
0xF7667000 PxHelp20.sys
0xF7870000 KSecDD.sys
0xF785D000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF7830000 NDIS.sys
0xF796D000 Mup.sys
0xF7717000 avgrkx86.sys
0xF78AB000 AVGIDSEH.Sys
0xF7400000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA7CC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB88BE000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB88AA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8871000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xF775F000 \SystemRoot\System32\drivers\swmsflt.sys
0xF7767000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB884D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF776F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8521000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF7887000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB82EB000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB82C7000 \SystemRoot\system32\drivers\portcls.sys
0xF7697000 \SystemRoot\system32\drivers\drmk.sys
0xB82A4000 \SystemRoot\system32\drivers\ks.sys
0xF7777000 \SystemRoot\system32\DRIVERS\Tvs.sys
0xF777F000 \SystemRoot\system32\DRIVERS\wowxt_kern_i386.sys
0xF7787000 \SystemRoot\system32\DRIVERS\tsxt_kern_i386.sys
0xB8188000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF79D5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF778F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF76A7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB91F6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB91EE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF79D7000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0xBA1CB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7B8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8171000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7587000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB91E6000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8160000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7577000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB91DE000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB91D6000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7567000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79DD000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8102000 \SystemRoot\system32\DRIVERS\update.sys
0xBA678000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7557000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7517000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA7232000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xA5308000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA29C2000 \SystemRoot\System32\Drivers\Null.SYS
0xA5306000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77DF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF77E7000 \SystemRoot\System32\drivers\vga.sys
0xA5304000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA5302000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77EF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA3035000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA17A1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA1748000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA1701000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA16DB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA7222000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA7212000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA168B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA1669000 \SystemRoot\System32\drivers\afd.sys
0xA2ACB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA163E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA15CE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA2ABB000 \SystemRoot\System32\Drivers\Fips.SYS
0xA1592000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xA2A7B000 \SystemRoot\system32\DRIVERS\KMWDFILTER.sys
0xA3015000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA19E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA3011000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA1E2000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA157A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA56BA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA753A000 \SystemRoot\System32\drivers\Dxapi.sys
0xA573E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A8C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1CC000 \SystemRoot\System32\igxpdx32.DLL
0xBF436000 \SystemRoot\System32\ATMFD.DLL
0xA155E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA1435000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA571E000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xA13A8000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7507000 \SystemRoot\system32\drivers\sysaudio.sys
0xA128D000 \SystemRoot\system32\DRIVERS\srv.sys
0xA5D04000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xA181C000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA0F92000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xA079A000 \??\C:\DOCUME~1\user\LOCALS~1\Temp\aswMBR.sys
0xA058F000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
808 C:\WINDOWS\system32\smss.exe
864 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
1144 csrss.exe
1188 C:\WINDOWS\system32\winlogon.exe
1240 C:\WINDOWS\system32\services.exe
1252 C:\WINDOWS\system32\lsass.exe
1412 C:\WINDOWS\system32\svchost.exe
1512 svchost.exe
1588 C:\WINDOWS\system32\svchost.exe
1728 svchost.exe
1832 svchost.exe
2008 C:\WINDOWS\system32\spoolsv.exe
148 svchost.exe
196 C:\Program Files\AVG\AVG10\avgwdsvc.exe
800 C:\Program Files\Java\jre6\bin\jqs.exe
1028 C:\Program Files\AVG\AVG10\avgnsx.exe
1308 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1756 C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
316 C:\WINDOWS\system32\svchost.exe
672 C:\WINDOWS\system32\searchindexer.exe
2076 C:\WINDOWS\explorer.exe
2140 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
2888 C:\WINDOWS\system32\igfxpers.exe
3056 C:\Program Files\ltmoh\ltmoh.exe
3124 C:\WINDOWS\system32\igfxtray.exe
3148 C:\WINDOWS\system32\hkcmd.exe
3172 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3188 C:\Program Files\AVG\AVG10\avgtray.exe
3740 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
608 alg.exe
3548 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
2864 C:\Program Files\AVG\AVG10\avgcsrvx.exe
1544 C:\Program Files\Internet Explorer\iexplore.exe
496 C:\Program Files\Internet Explorer\iexplore.exe
944 C:\WINDOWS\system32\dwwin.exe
2484 C:\WINDOWS\system32\searchprotocolhost.exe
2680 C:\Program Files\Internet Explorer\iexplore.exe
3520 C:\Documents and Settings\user\Desktop\MBRCheck.exe
3808 searchfilterhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WLS, Rev: MA2OA7MA

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

----------------------------------end of MBRcheck-------------------------------------------

hope that helps!

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:52 PM

Posted 04 May 2011 - 07:42 AM

Let's start fixing things then.

Step 1.
MBR backup:

Open notepad and copy/paste the text in the codebox below into it:

MBRCheck -s 0 -d MBRbckp.dat
del 0%

Save this as bmbr.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on mbmr.bat & allow it to run

A file MBRbckp.dat will be created on your desktop.

Zip MBRbckp.dat and attach that zipped file in a reply.
Don't proceed until you've done the above.



When done do next step.



Step 2.
aswMBR-fix:

Close all applications

Run aswMBR and Click Scan

On completion of the scan, click the Fix - button

Posted Image

When prompted to restart click Yes

Even so you might need to restart it manually.


Rerun aswMBR and save the log as before and post in your next replyClose all applications

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 GarrettF

GarrettF
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 04 May 2011 - 08:49 AM

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-04 08:41:13
-----------------------------
08:41:13.261 OS Version: Windows 5.1.2600 Service Pack 3
08:41:13.261 Number of processors: 1 586 0xD08
08:41:13.261 ComputerName: USER-605BDFAFAA UserName: user
08:41:15.544 Initialize success
08:41:24.137 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:41:24.217 Disk 0 Vendor: WLS MA2 Size: 38154MB BusType: 3
08:41:24.347 Disk 0 MBR read successfully
08:41:24.347 Disk 0 MBR scan
08:41:24.347 Disk 0 Windows XP default MBR code
08:41:24.357 Disk 0 scanning sectors +78124095
08:41:24.437 Disk 0 scanning C:\WINDOWS\system32\drivers
08:41:43.414 Service scanning
08:41:48.792 Disk 0 trace - called modules:
08:41:48.802 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
08:41:48.802 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a64cab8]
08:41:48.802 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000007a[0x8a638650]
08:41:48.802 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a6c1d98]
08:41:48.802 Scan finished successfully
08:43:00.165 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
08:43:00.215 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"


-----------------------------------

she's starting to act right once again. ;)

Attached Files



#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:52 PM

Posted 04 May 2011 - 01:03 PM

Let's run a couple of other scans.

Step 1.
Clean temp locations:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 4.
Things I would like to see in your reply:

  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.
  • How is your computer running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 GarrettF

GarrettF
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 07 May 2011 - 11:36 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/4/2011 6:16:04 PM
mbam-log-2011-05-04 (18-16-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 266019
Time elapsed: 3 hour(s), 35 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{9ee05c21-3cc8-45c8-963e-733f16a3bfce}\RP636\A0085627.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9ee05c21-3cc8-45c8-963e-733f16a3bfce}\RP636\A0085691.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9ee05c21-3cc8-45c8-963e-733f16a3bfce}\RP636\A0085703.dll (Trojan.Agent) -> Quarantined and deleted successfully.

---------------------------

mbam ran and the above is the report it logged; everything deleted successfully. :)

I ran ESET, but I think I removed it after it ran, and forgot to make a copy of its log... although I did copy down what it found.

a variant of Win32/Kryptik.MYS trojan

ESET removed it and my laptop has been running WONDERFULLY eversince! ;)

THANK YOU
THANK YOU
THANK YOU

If you need me to re-run ESET just let me know.

All the best,
GL Fournerat

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:52 PM

Posted 08 May 2011 - 05:01 PM

Hey there, GarrettF !

OK! Well done, your log is clean again! :thumbsup:

Time for some housekeeping.

Step 1.
Clean up:

First:
We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.


Second:
Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.
System Restore will now be active again.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest,

------

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 25 .
  • Click the JDK 6 Update 25 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u25-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u25-windows-i586.exe and select "Run as an Administrator.")

Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs
Sixth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:52 PM

Posted 13 May 2011 - 02:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users