Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

registry issue: HJPOL and malware/virus possibility?


  • This topic is locked This topic is locked
18 replies to this topic

#1 wrtigo

wrtigo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 05 October 2013 - 05:59 PM

Hello:

 

I am running a Windows XP System. I was updating some of my programs when I came upon the RogueKiller by Tigzy program on my system and decided to run the program to update, which reported back with the following HJPOL key type. I have posted the log below for your review. Below you will also find a AdwCleaner Report and DDS Report. They all seem to look different. Also note that I have note deleted or quarantined anything so I wait for your instruction.

 

Thank You.

 

 

key type: HJPOL
global: HKLM
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
value" DisableRegistryTools
Data: 0

 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 10/05/2013 16:08:17
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[5]_S_10052013_02d1608.txt >>

 

=========================

 

 

# AdwCleaner v3.006 - Report created 05/10/2013 at 17:16:55
# Updated 01/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin - R1
# Running from : C:\Documents and Settings\Admin\My Documents\Downloads\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App

Management\ARPCache\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found :

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v19.0.2 (en-US)

[ File : C:\Documents and Settings\Admin\Application

Data\Mozilla\Firefox\Profiles\xzk36lty.default-1362958483423\prefs.js ]

*************************

AdwCleaner[R0].txt - [922 octets] - [05/10/2013 17:16:55]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [981 octets] ##########

 

=======================

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Admin at 17:59:36 on 2013-10-05
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Desktop 9.7\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1364077436\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
EB: RealGuide: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -

hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853} : NameServer = 192.168.0.1
TCP: Interfaces\{C1DB031C-DEF5-4D78-959D-B6343A61388E} : NameServer = 205.188.146.145
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program

files\belarc\advisor\system\BAVoilaX.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - <orphaned>
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - <orphaned>
Notify: NavLogon - c:\windows\system32\NavLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application

data\mozilla\firefox\profiles\xzk36lty.default-1362958483423\
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R? NUVision;Studio PCTV USB/Radio (NTSC)
R? nvTUNEP;nVidia WDM TVTuner
S? tbcspud;Santa Cruz Driver
S? tbcwdm;Santa Cruz WDM Driver
.
=============== Created Last 30 ================
.
2013-10-05 21:16:41 -------- d-----w- C:\AdwCleaner
2013-09-27 14:33:34 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys
.
==================== Find3M  ====================
.
.
============= FINISH: 18:03:41.48 ===============

 

THANK YOU.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 07 October 2013 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Delete your current version of RogueKiller.
Download and run the latest version.

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
You can safely fix this item.
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

Post a fresh log.

Run the AdwCleaner tool and remove all items found.

===

Let me know of any issues with this computer.

#3 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 09 October 2013 - 03:00 PM

Hello nasdaq,

 

Thank you for responding to my posting. I downloaded the 32bit version and for the last couple of days tried running the program through its paces. However it has stalled and crashed and has not run through to 100%. Please help.

 

Thank You. 


Edited by wrtigo, 09 October 2013 - 03:09 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 10 October 2013 - 08:36 AM

Try this one.

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#5 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 10 October 2013 - 10:33 AM

Hello nasdaq:

 

Below are the Farbar Logs (two) for your review. 

 

Thank You.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by Admin (administrator) on R1 on 10-10-2013 10:42:48
Running from C:\Documents and Settings\Admin\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(PCtel, Inc.) C:\WINDOWS\system32\pctspk.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7\waol.exe
(AOL LLC) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7\shellmon.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\1364077436\ee\aolsoftware.exe
(AOL Inc.) C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7\AOLBrowser\aolbrowser.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\NavLogon: C:\WINDOWS\system32\NavLogon.dll ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =

0x00ABCEE4B2C3CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =

http://www.msn.com/?ocid=iehp
SearchScopes: HKLM - DefaultScope value is missing.
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5}

http://download.eset.com/special/eos/OnlineScanner.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program

Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Hosts: 127.0.0.1 localhost
Tcpip\..\Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853}: [NameServer]192.168.0.1
Tcpip\..\Interfaces\{C1DB031C-DEF5-4D78-959D-B6343A61388E}: [NameServer]205.xxx.xxx.xxx

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Admin\Application

Data\Mozilla\Firefox\Profiles\xzk36lty.default-1362958483423
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll

()
FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle

Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program

Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program

Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF HKCU\...\Firefox\Extensions: [{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}] - C:\Program

Files\DAP\DAPFireFox

========================== Services (Whitelisted) =================

R3 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46640 2006-10-23] (AOL LLC)
R2 Pctspk; C:\Windows\system32\pctspk.exe [86016 2001-08-17] (PCtel, Inc.)

==================== Drivers (Whitelisted) ====================

R2 Aspi32; C:\Windows\System32\Drivers\Aspi32.sys [23936 1997-12-22] (Adaptec)
R1 BANTExt; C:\Windows\System32\Drivers\BANTExt.sys [3840 2011-08-09] ()
S3 EL90XBC; C:\Windows\System32\DRIVERS\el90xbc5.sys [66591 2001-08-17] (3Com Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-10-09] (Malwarebytes

Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 NUVision; C:\Windows\System32\DRIVERS\NUVision.sys [151104 2006-10-31] (Nogatech Ltd.)
S3 Ptserlp; C:\Windows\System32\DRIVERS\ptserlp.sys [112574 2001-08-17] (PCTEL, INC.)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 tbcspud; C:\Windows\System32\drivers\tbcspud.sys [149632 2003-06-23] (Voyetra Turtle Beach)
R3 tbcwdm; C:\Windows\System32\drivers\tbcwdm.sys [554304 2003-06-23] (Voyetra Turtle Beach)
U3 TrueSight; C:\WINDOWS\system32\TrueSight.sys [26624 2013-10-08] ()
R0 Vmodem; C:\Windows\System32\DRIVERS\vmodem.sys [604253 2001-08-17] (PCTEL, INC.)
R0 Vpctcom; C:\Windows\System32\DRIVERS\vpctcom.sys [397502 2001-08-17] (PCtel, Inc.)
R0 Vvoice; C:\Windows\System32\DRIVERS\vvoice.sys [64605 2001-08-17] (PCtel, Inc.)
R3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
S3 catchme; \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys [x]
S2 nvcap; system32\DRIVERS\nvcap.sys [x]
S2 nvTUNEP; system32\DRIVERS\nvtunep.sys [x]
S2 NVXBAR; system32\DRIVERS\NVxbar.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-10 10:42 - 2013-10-10 10:42 - 00000000 ____D C:\FRST
2013-10-10 10:40 - 2013-10-05 16:52 - 01087213 _____ (Farbar) C:\Documents and

Settings\Admin\Desktop\FRST.exe
2013-10-09 19:21 - 2013-10-09 19:21 - 00040776 _____ (Malwarebytes Corporation)

C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2013-10-09 13:56 - 2013-10-09 15:04 - 00000960 _____ C:\Documents and Settings\Admin\My

Documents\ag - farm - apple 2013.txt
2013-10-09 11:09 - 2003-01-10 17:13 - 00033588 ____R (America Online, Inc.)

C:\WINDOWS\system32\Drivers\wanatw4.sys
2013-10-07 14:25 - 2013-10-08 17:49 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys
2013-10-07 14:14 - 2013-10-07 14:14 - 00950272 _____ C:\Documents and

Settings\Admin\Desktop\RogueKiller.exe
2013-10-05 18:04 - 2013-10-05 18:04 - 00006946 _____ C:\Documents and

Settings\Admin\Desktop\attach.txt
2013-10-05 17:16 - 2013-10-09 20:15 - 00000000 ____D C:\AdwCleaner
2013-10-05 16:08 - 2013-10-05 16:08 - 00001321 _____ C:\Documents and

Settings\Admin\Desktop\RKreport[5]_S_10052013_02d1608.txt
2013-09-30 18:45 - 2013-09-30 18:45 - 00000131 _____ C:\Documents and Settings\Admin\My

Documents\hooks.txt

==================== One Month Modified Files and Folders =======

2013-10-10 10:42 - 2013-10-10 10:42 - 00000000 ____D C:\FRST
2013-10-10 10:25 - 2006-10-23 18:10 - 01705200 _____ C:\WINDOWS\WindowsUpdate.log
2013-10-10 10:25 - 2005-02-24 07:32 - 00018059 _____ C:\WINDOWS\system32\nvapps.xml
2013-10-10 10:24 - 2006-10-23 18:19 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-10-09 20:22 - 2006-10-23 19:51 - 00000178 ___SH C:\Documents and Settings\Admin\ntuser.ini
2013-10-09 20:22 - 2006-10-23 18:19 - 00032642 _____ C:\WINDOWS\SchedLgU.Txt
2013-10-09 20:15 - 2013-10-05 17:16 - 00000000 ____D C:\AdwCleaner
2013-10-09 19:21 - 2013-10-09 19:21 - 00040776 _____ (Malwarebytes Corporation)

C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2013-10-09 15:04 - 2013-10-09 13:56 - 00000960 _____ C:\Documents and Settings\Admin\My

Documents\ag - farm - apple 2013.txt
2013-10-09 14:49 - 2006-10-23 19:51 - 00000000 ____D C:\Documents and Settings\Admin
2013-10-09 11:09 - 2012-08-19 17:59 - 00485980 _____ C:\WINDOWS\setupapi.log
2013-10-08 17:49 - 2013-10-07 14:25 - 00026624 _____ C:\WINDOWS\system32\TrueSight.sys
2013-10-08 17:49 - 2013-04-01 13:55 - 00000000 ____D C:\Documents and

Settings\Admin\Desktop\RK_Quarantine
2013-10-07 14:14 - 2013-10-07 14:14 - 00950272 _____ C:\Documents and

Settings\Admin\Desktop\RogueKiller.exe
2013-10-06 17:16 - 2013-04-18 19:53 - 00000000 ____D C:\Documents and Settings\Admin\Local

Settings\Application Data\CutePDF Writer
2013-10-06 16:31 - 2013-02-23 15:19 - 00000000 ____D C:\WINDOWS\erdnt
2013-10-05 18:03 - 2013-04-04 13:21 - 00003817 _____ C:\Documents and

Settings\Admin\Desktop\dds.txt
2013-10-05 16:52 - 2013-10-10 10:40 - 01087213 _____ (Farbar) C:\Documents and

Settings\Admin\Desktop\FRST.exe
2013-10-05 15:54 - 2012-04-21 09:13 - 00000000 ____D C:\Program Files\CCleaner
2013-09-30 18:45 - 2013-09-30 18:45 - 00000131 _____ C:\Documents and Settings\Admin\My

Documents\hooks.txt

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-10-2013
Ran by Admin at 2013-10-10 10:45:03
Running from C:\Documents and Settings\Admin\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

==================== Installed Programs ======================

Adobe Flash Player 11 ActiveX (Version: 11.3.300.268)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
AOL Uninstaller (Choose which Products to Remove)
Belarc Advisor 8.2 (Version: 8.2.7.7)
CCleaner (Version: 4.06)
CutePDF Writer 3.0 (Version:  3.0)
ERUNT 1.1j
ESET Online Scanner v3
Google Update Helper
GPL Ghostscript (Version: 9.07)
InterVideo WinDVD
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 (Version: 2.0.50727)
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox 19.0.2 (x86 en-US) (Version: 19.0.2)
NVIDIA Drivers
OpenOffice.org 3.3 (Version: 3.3.9567)
RealPlayer G2
Retouch Pilot Free 3.5.3 (Version: 3.5.3)
Revo Uninstaller 1.94 (Version: 1.94)
SumatraPDF 2.2.1 (Version: 2.2.1)
Turtle Beach Santa Cruz (Version: 5.12.1.4193)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver

==================== Restore Points  =========================

12-07-2013 17:26:51 System Checkpoint
13-07-2013 17:49:13 System Checkpoint
14-07-2013 20:19:46 System Checkpoint
15-07-2013 23:09:52 System Checkpoint
17-07-2013 18:58:15 System Checkpoint
18-07-2013 22:42:07 System Checkpoint
20-07-2013 14:14:08 System Checkpoint
21-07-2013 19:18:01 System Checkpoint
22-07-2013 22:32:52 System Checkpoint
24-07-2013 20:50:58 System Checkpoint
26-07-2013 19:18:14 System Checkpoint
28-07-2013 16:32:36 System Checkpoint
29-07-2013 19:38:13 System Checkpoint
30-07-2013 21:38:55 System Checkpoint
31-07-2013 22:01:30 System Checkpoint
01-08-2013 22:37:56 System Checkpoint
03-08-2013 15:09:49 System Checkpoint
04-08-2013 19:31:27 System Checkpoint
06-08-2013 18:08:32 System Checkpoint
07-08-2013 20:43:12 System Checkpoint
09-08-2013 17:29:23 System Checkpoint
11-08-2013 20:19:38 System Checkpoint
12-08-2013 20:25:48 System Checkpoint
13-08-2013 20:38:39 System Checkpoint
14-08-2013 21:27:26 System Checkpoint
15-08-2013 22:11:48 System Checkpoint
17-08-2013 13:38:14 System Checkpoint
18-08-2013 21:40:57 System Checkpoint
19-08-2013 22:24:12 System Checkpoint
20-08-2013 22:32:05 System Checkpoint
21-08-2013 22:43:17 System Checkpoint
22-08-2013 23:18:12 System Checkpoint
24-08-2013 14:18:34 System Checkpoint
25-08-2013 14:59:38 System Checkpoint
26-08-2013 16:23:41 System Checkpoint
27-08-2013 16:26:34 System Checkpoint
28-08-2013 17:06:08 System Checkpoint
29-08-2013 20:28:49 System Checkpoint
30-08-2013 20:59:03 System Checkpoint
01-09-2013 23:11:19 System Checkpoint
03-09-2013 18:09:03 System Checkpoint
04-09-2013 18:15:39 System Checkpoint
05-09-2013 21:13:52 System Checkpoint
07-09-2013 18:20:50 System Checkpoint
08-09-2013 21:00:50 System Checkpoint
09-09-2013 23:21:01 System Checkpoint
10-09-2013 23:32:09 System Checkpoint
12-09-2013 16:43:19 System Checkpoint
13-09-2013 18:55:00 System Checkpoint
16-09-2013 15:56:07 System Checkpoint
17-09-2013 16:14:16 System Checkpoint
19-09-2013 12:56:11 System Checkpoint
21-09-2013 12:05:44 System Checkpoint
22-09-2013 22:07:45 System Checkpoint
23-09-2013 23:02:26 System Checkpoint
24-09-2013 23:07:29 System Checkpoint
26-09-2013 00:04:42 System Checkpoint
27-09-2013 16:42:13 System Checkpoint
29-09-2013 19:59:47 System Checkpoint
01-10-2013 17:29:58 System Checkpoint
03-10-2013 15:09:18 System Checkpoint
04-10-2013 18:44:48 System Checkpoint
07-10-2013 17:33:50 System Checkpoint
08-10-2013 17:49:11 System Checkpoint
09-10-2013 21:09:13 System Checkpoint

==================== Hosts content: ==========================

2013-03-05 13:41 - 2013-04-14 16:12 - 00000019 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

==================== Loaded Modules (whitelisted) =============

2000-12-22 07:51 - 2000-12-22 07:51 - 00028672 _____ () C:\WINDOWS\system32\NavLogon.dll
2013-04-28 19:36 - 2012-10-04 19:50 - 00088688 _____ () C:\WINDOWS\system32\cpwmon2k.dll
2006-10-29 15:31 - 2006-09-14 01:20 - 00126464 _____ () C:\Program Files\WinRAR\rarext.dll
2012-04-20 18:50 - 2012-04-20 18:50 - 00048640 _____ () C:\Program Files\AOL Desktop 9.7\zlib.dll
2012-04-20 18:50 - 2012-04-20 18:50 - 00094208 _____ () C:\Program Files\AOL Desktop

9.7\Components\Tier2Svc.dll
2012-04-20 18:50 - 2012-04-20 18:50 - 00060928 _____ () C:\Program Files\AOL Desktop

9.7\Components\DataSvcs.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: 3Com
Service: EL90XBC
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the

Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (08/27/2013 04:56:57 PM) (Source: Application Error) (User: )
Description: Faulting application sinf.exe, version 2.6.4.1, faulting module sysinfo.dll, version

2.6.4.1, fault address 0x000423dd.
Processing media-specific event for [sinf.exe!ws!]

Error: (08/27/2013 04:49:48 PM) (Source: Application Error) (User: )
Description: Faulting application sinf.exe, version 2.6.4.1, faulting module mshtml.dll, version

8.0.6001.19394, fault address 0x001d0c40.
Processing media-specific event for [sinf.exe!ws!]

Error: (08/27/2013 04:49:15 PM) (Source: Application Error) (User: )
Description: Faulting application sinf.exe, version 2.6.4.1, faulting module sysinfo.dll, version

2.6.4.1, fault address 0x000423dd.
Processing media-specific event for [sinf.exe!ws!]

Error: (08/19/2013 06:11:12 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module

flash32_11_3_300_268.ocx, version 11.3.300.268, fault address 0x004729b9.
Processing media-specific event for [iexplore.exe!ws!]

System errors:
=============
Error: (10/10/2013 10:24:57 AM) (Source: Service Control Manager) (User: )
Description: The nVidia WDM A/V Crossbar service failed to start due to the following error:
%%2

Error: (10/10/2013 10:24:57 AM) (Source: Service Control Manager) (User: )
Description: The nVidia WDM TVTuner service failed to start due to the following error:
%%2

Error: (10/10/2013 10:24:57 AM) (Source: Service Control Manager) (User: )
Description: The nVidia WDM Video Capture (universal) service failed to start due to the

following error:
%%2

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The

referenced assembly is not installed on your system.

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The

referenced assembly is not installed on your system.

Error: (10/09/2013 07:59:31 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.

Microsoft Office Sessions:
=========================
Error: (08/27/2013 04:56:57 PM) (Source: Application Error)(User: )
Description: sinf.exe2.6.4.1sysinfo.dll2.6.4.1000423dd

Error: (08/27/2013 04:49:48 PM) (Source: Application Error)(User: )
Description: sinf.exe2.6.4.1mshtml.dll8.0.6001.19394001d0c40

Error: (08/27/2013 04:49:15 PM) (Source: Application Error)(User: )
Description: sinf.exe2.6.4.1sysinfo.dll2.6.4.1000423dd

Error: (08/19/2013 06:11:12 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702flash32_11_3_300_268.ocx11.3.300.268004729b9

==================== Memory info ===========================

Percentage of memory in use: 88%
Total physical RAM: 127.07 MB
Available physical RAM: 14.22 MB
Total Pagefile: 305.81 MB
Available Pagefile: 45.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.05 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:37.25 GB) (Free:3.82 GB) NTFS ==>[Drive with boot components (Windows

XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: 1D8D1D8C)
Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 10 October 2013 - 12:56 PM

The log is clean.

What is the remaining issue with this computer.

#7 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 10 October 2013 - 01:54 PM

Hello Nasdaq:

 

RougueKiller32 program still not able to run.  

 

Thank You.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 11 October 2013 - 08:14 AM

What is the current problem with this computer.

I need to know in order to suggest a possible solution.

#9 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 11 October 2013 - 03:09 PM

Hello nasqad:

 

The system was running properly and a bit slow, so I launched the rougekiller and adwcleaner programs to see if I could pinpoint any problems. This is when the roguekiller program showed the registry issue with HJPOL. So I posted the logs here. You then were nice enough to ask point out the updated version of rougekiller32 (XP), and provided me the link to download and launch the program, but I have not been able to run it successfully. It either crashes or freezes. Then you asked me to run the Farbar software, which I posted the log and agree with you that that log looks fine. But what about the Rougekiller32 not running properly and the logs that had registry problems?

 

Thank You.


Edited by wrtigo, 11 October 2013 - 03:25 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 12 October 2013 - 06:51 AM

Delete the folder and file in bold.

C:\Documents and Settings\Admin\Desktop\RK_Quarantine
C:\Documents and Settings\Admin\Desktop\RogueKiller.exe

Download a fresh copy of the .exe and place it in your Desktop. Not the desktop folder you created in the Document and setting folder.

How is it now?

#11 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 12 October 2013 - 03:50 PM

Hello nasdaq:

 

I deleted the original downloaded and copy and re-downloaded a fresh one. It was able to run through within minutes and I posted the log below. I have not deleted or changed anything from the log. Waiting for your next direction. Thank You.

 

RogueKiller V8.7.2 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 10/12/2013 16:39:49
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD400BB-75DEA0

+++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10122013_163949.txt >>

 

Thank You.
 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 13 October 2013 - 07:16 AM

Run the RogueKiller tool and fix these registry items. They will be replaced.

[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any remaining issues with this computer.

#13 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 13 October 2013 - 02:04 PM

Hello nasdaq:

 

I ran the rougekiller program to correct the items in the Registry that you highlighted. I hope I did the right thing by clicking the delete button on the program? Please let me know. What about the Driver items listed in the log below? They still seem to be listed? Security Checkup log also pasted below. Thank You.

 

RogueKiller V8.7.2 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Remove -- Date : 10/13/2013 14:32:59
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ][PUM] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)
[Inline] EAT @iexplore.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)
[Inline] EAT @iexplore.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD400BB-75DEA0 +++++
--- User ---
[MBR] 3a4b055ac942a9f30e2a459eabdf1f76
[BSP] d8530313a4a7d15b2a7fcbe346dffeff : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_10132013_143259.txt >>
RKreport[0]_S_10122013_163949.txt;RKreport[0]_S_10132013_143243.txt

 

----

 

 Results of screen317's Security Check version 0.99.74 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.70.0.1100 
 Out of date Malwarebytes Anti-Malware installed!
 CCleaner    
 Adobe Flash Player  11.7.700.224 
 Mozilla Firefox 19.0.2 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````

 

Thank You.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 PM

Posted 14 October 2013 - 07:39 AM


[Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)
[Inline] EAT @iexplore.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)
[Inline] EAT @iexplore.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)


MSVCR90.dll is Microsoft Visual C Runtime Link Library. It's required by an application your are using.
===

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

Take care of the old versions of programs listed in the SecurityCheck log.
===

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful addons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#15 wrtigo

wrtigo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 14 October 2013 - 05:10 PM

Hello nasdaq:

 

Some questions. In the last posting you mentioned that I should uninstall ComboFix. You did not instruct me to run this program. Is it something that I should run?

 

How do we find out what application MSVCR90.dll is using? Is this something that should be installed on the system? 

 

In the future, if I should decide to uninstall Security Check, what is the best way to do so? The same with RougeKiller and AdWCleaner?

 

Thank You.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users