Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is My Trojan All Gone? Rootkits Too?


  • This topic is locked This topic is locked
13 replies to this topic

#1 sportshealer

sportshealer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 20 November 2006 - 08:29 PM

Ok, where to start. Last Wednesday 11/15/06 I rebooted my computer after it was it began to slow down. When I went to restart it prompted me to either reboot with updates or not. I rebooted with updates. Windows installed six updates then came back on. After reboot my firewall (Windows XP standard firewall) was disabled, the Mcafee Total Protection Suite (paid 24 hour anti-virus surveillance by my company) was off and unable to restart, the 'turn off Computer' button was missing from the start menu, as well as the 'run...' command, and when I tried to CTRL+ALT+DEL, the task manager did not pop up.

The error that popped up when I tried to turn my firewall back on was as follows, "Due to an unidentified problem, Windows cannot display Windows Firewall settings." Posted ImageI googled this and found under microsoft help that the registry files needed to make the windows firewall may have been tampered with. I looked at my registry and all of the values and such that were listed under the microsoft "fix" were blank. I do not feel comfortable enough with the registry to go in and manually enter this data so I left it alone and for now have installed the Zone Alarm Full version (11 days left on my trial). I've also since installed the AVG free anti-virus software, AVG 7.5 Anti-Spyware 7.5, RegistryFix, Rootkitrevealer, Combothis, and Hijackthis.

I then ran Spybot Search & Destroy, Ad-Aware SE and found a bunch of malware, adware, etc.(I usually do a check with these two programs at least once a week and never saw all of this stuff). I also ran an online scan with Pandasoftware and Trendmicro Housecall. Some of the titles that I found and did my best to clean manualy are: Smitfraud-C, Dealio, Toolbar 888, System Doctor 2002, Trojan Horse Downloader.Generic.HGT, Trojan Horse PSW.Generic2.RBR, Trojan Horse Downloader Generic2.WBL

Anyway, somewhere along the way I read that the virus I acquired was some version of Torpig and installs a hidden keylogger that could potentially send my urls along with user and Pass for any www. I'd checked since getting infected. I do everything from online banking, ebay, paypal, work and personal email, myspace, etc. on this computer and would have a great deal at risk if there's a keylogger on my pc. Please Help! I've since gone to a remote computer and changed all of the user and pass for any sites that I know I visited after the viruses 'popped' up.
I'm also concerned if I have a rootkit on my pc now.

Attached is a current Hijackthis Log, Combofix Log, Mcafee AVERT Stinger Log, and RootkitRevealer Log:




HIJACKTHIS LOG
________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 4:39:54 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: APEX Weight Center 2.2.0.902 - http://application.bodybugg.com/files/stat...x_2_2_0_902.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YYSBRRVQ - Unknown owner - C:\DOCUME~1\OMGLAP~1\LOCALS~1\Temp\YYSBRRVQ.exe (file missing)






COMBOFIX LOG
________________________________________________________
OMGlaptop - 06-11-20 16:34:54.72 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{44230B50-0A20-1033-0630-050306240001}


((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))


2006-11-20 15:01 <DIR> dr-h----- C:\Documents and Settings\OMGlaptop\Recent
2006-11-20 13:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-20 13:04 360 --a------ C:\Combo.bat
2006-11-16 15:03 <DIR> d-------- C:\Program Files\RegistryFix
2006-11-16 12:57 7,040 --a------ C:\WINDOWS\system32\drivers\RKPavProc.sys
2006-11-16 01:18 <DIR> d-------- C:\Program Files\Atelier Web
2006-11-16 00:29 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-16 00:29 <DIR> d-------- C:\Program Files\Zone Labs
2006-11-16 00:11 <DIR> dr-h----- C:\$VAULT$.AVG
2006-11-15 23:47 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-15 23:47 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-15 23:47 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-15 23:47 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-15 23:47 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-15 23:47 <DIR> d-------- C:\Documents and Settings\OMGlaptop\Application Data\AVG7
2006-11-15 23:46 <DIR> d-------- C:\Program Files\Grisoft
2006-11-15 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-11-15 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-11-15 22:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-15 18:05 186 --a------ C:\WINDOWS\myClean.bat
2006-11-15 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-15 15:41 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-15 15:41 0 --a------ C:\mbbewinj.exe
2006-11-15 15:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 15:33 <DIR> d-------- C:\0e55d051878fddf24b2cd4b0b600f1
2006-11-10 15:26 <DIR> d-------- C:\Program Files\Common Files\iS3
2006-11-10 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZILLAbar
2006-11-10 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2006-11-10 14:37 233,472 --a------ C:\WINDOWS\system32\Ilda32.dll
2006-11-10 14:37 18,944 --a------ C:\WINDOWS\system32\BORLNDMM.DLL
2006-11-10 14:37 <DIR> d-------- C:\Program Files\CoffeeCup Software
2006-11-07 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avanquest Software
2006-11-06 15:03 <DIR> d-------- C:\Program Files\Google
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-31 16:57 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2006-10-31 16:56 <DIR> d-------- C:\WINDOWS\PrimoPDF
2006-10-31 16:56 <DIR> d-------- C:\Program Files\activePDF
2006-10-30 11:48 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2006-10-24 09:00 <DIR> d-------- C:\Documents and Settings\OMGlaptop\Application Data\Ahead
2006-10-24 08:59 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2006-10-24 08:59 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2006-10-24 08:59 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2006-10-24 08:59 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2006-10-24 08:59 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2006-10-24 08:59 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-10-24 08:59 <DIR> d-------- C:\Program Files\Common Files\Ahead
2006-10-24 08:59 <DIR> d-------- C:\Program Files\Ahead


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-20 16:35 -------- d-------- C:\Program Files\Common Files
2006-11-20 14:55 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-20 10:43 -------- d-------- C:\Program Files\WinRAR
2006-11-20 10:43 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-20 10:40 -------- d-------- C:\Program Files\mobile PhoneTools
2006-11-20 10:31 -------- d-------- C:\Program Files\Internet Explorer
2006-11-20 10:30 -------- d-------- C:\Program Files\FlashGet
2006-11-17 00:04 -------- d-------- C:\Program Files\mIRC
2006-11-15 15:32 -------- d-------- C:\Program Files\Common Files\System
2006-11-14 02:25 -------- d-------- C:\Program Files\Dl_cats
2006-11-07 15:32 -------- d-------- C:\Documents and Settings\OMGlaptop\Application Data\Adobe
2006-10-30 11:52 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2006-10-30 11:52 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-30 10:53 -------- d-------- C:\Program Files\LimeWire
2006-10-30 10:53 -------- d-------- C:\Program Files\Dell Photo AIO Printer 964
2006-10-27 21:56 -------- d-------- C:\Documents and Settings\OMGlaptop\Application Data\LimeWire
2006-10-16 12:23 -------- dr-h----- C:\Documents and Settings\OMGlaptop\Application Data\yahoo!
2006-10-16 09:58 -------- d-------- C:\Program Files\HiFisoftware
2006-10-13 16:54 -------- d---s---- C:\Documents and Settings\OMGlaptop\Application Data\Microsoft
2006-10-13 05:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 05:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 03:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-05 11:19 -------- d-------- C:\Documents and Settings\OMGlaptop\Application Data\FileMaker
2006-10-05 11:18 -------- d-------- C:\Program Files\Flash Code
2006-10-02 08:29 -------- d-------- C:\Program Files\HP
2006-10-02 08:27 -------- d-------- C:\Program Files\Common Files\HP
2006-10-02 08:22 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-28 11:31 -------- d-------- C:\Program Files\PDF Combine
2006-09-28 11:31 -------- d-------- C:\Documents and Settings\OMGlaptop\Application Data\Softplicity
2006-09-21 10:23 -------- d-------- C:\Program Files\OfficeUpdate11
2006-09-20 14:19 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-20 14:18 -------- d-------- C:\Documents and Settings\OMGlaptop\Application Data\OpenOffice.org2
2006-09-20 13:55 -------- d-------- C:\Program Files\Yahoo!
2006-09-12 22:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 08:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DLCJCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCJtime.dll,_RunDLLEntry@16"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,05,01,00,00,00,00,00,00,fb,03,00,00,fe,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,05,01,00,00,00,00,00,00,fb,03,00,00,fe,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoUserNameInStartMenu"=dword:00000001
"MaxRecentDocs"=dword:0000000a
"NoStartMenuMFUprogramsList"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoRun"=dword:00000000
"NoClose"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
@=""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MVS Splash"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\Splash.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"PCTVOICE"="pctspk.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcjmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlcjmon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell Photo AIO Printer 964\\dlcjmon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdates"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"IDriverT"=dword:00000003
"dlcj_device"=dword:00000003
"Ati HotKey Poller"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Optimization Wizard.job

Completion time: 06-11-20 16:36:02.43
C:\ComboFix.txt ... 06-11-20 16:36




MCAFEE AVERT STINGER LOG

________________________________________________________

McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.



Scan initiated on Mon Nov 20 17:29:06 2006

Number of clean files: 170195






ROOT KIT REVEALER LOG 11/20/06 18:24
________________________________________________________

HKLM\S-1-5-21-1390067357-1957994488-1629325827-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C98C7F3F-F506-2B77-7F13-E2E201C062F5}* 10/16/2006 8:16 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/20/2006 5:50 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 4/18/2006 10:07 AM 0 bytes Access is denied.
C:\ComboFix.txt 11/20/2006 4:36 PM 13.43 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\AVG 11/20/2006 6:02 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\AVG Free.lnk 11/15/2006 11:47 PM 1.53 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\avg75free_430a848(1).exe 11/10/2006 4:23 PM 16.70 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\avg75free_430a848.exe 11/15/2006 11:40 PM 16.70 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\AVG\AVG Free.lnk 11/20/2006 6:02 PM 1.53 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\AVG\avg75free_430a848.exe 11/20/2006 6:02 PM 16.70 MB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Combofix 11/20/2006 6:02 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\combofix.exe 11/20/2006 1:03 PM 270.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Combofix\combofix.exe 11/20/2006 6:02 PM 270.50 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Combofix\ComboFix.txt 11/20/2006 6:02 PM 13.43 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\firwall error pic.JPG 11/20/2006 6:05 PM 8.77 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Hijack This! 11/20/2006 6:03 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Hijack This!\hijackthis.exe 11/20/2006 6:03 PM 213.00 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Hijack This!\hijackthisreport1.0.txt 11/20/2006 6:03 PM 4.29 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\hijackthis.exe 11/15/2006 8:54 PM 213.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\hijackthisreport1.0.txt 11/20/2006 4:40 PM 4.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Mcafee 11/20/2006 6:03 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\McAfee Virtual Technician.lnk 11/15/2006 5:44 PM 1.34 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Mcafee\McAfee Virtual Technician.lnk 11/20/2006 6:03 PM 1.34 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Mcafee\mvtapp.exe 11/20/2006 6:03 PM 293.60 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\mvtapp.exe 11/15/2006 4:47 PM 293.60 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Registry Fix 11/20/2006 6:03 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\Registry Fix\registryfix.exe 11/20/2006 6:03 PM 1.30 MB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Desktop\System Scanners,cleaners,etc\registryfix.exe 11/16/2006 3:02 PM 1.30 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\0E068F56d01 11/20/2006 6:00 PM 22.57 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\1588A3EBd01 11/20/2006 5:59 PM 44.19 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\188ED011d01 11/20/2006 6:00 PM 56.81 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\27584B80d01 11/20/2006 6:04 PM 17.22 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\2EC00E73d01 11/20/2006 5:59 PM 27.80 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\39C721E2d01 11/20/2006 6:00 PM 18.04 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\4188AC3Cd01 11/20/2006 6:06 PM 90.74 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\4688AC3Cd01 11/20/2006 6:01 PM 54.49 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\4788AC3Cd01 11/20/2006 5:54 PM 53.63 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\4A58B30Cd01 11/20/2006 5:59 PM 35.49 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\5B2B09A2d01 11/20/2006 6:00 PM 16.88 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\6AB0A520d01 11/20/2006 5:59 PM 64.35 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\6ABFC306d01 11/20/2006 6:04 PM 64.42 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\6EE5D29Bd01 11/20/2006 6:04 PM 21.39 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\767B046Dd01 11/20/2006 6:00 PM 56.83 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\81FD91B9d01 11/20/2006 6:05 PM 23.04 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\8208EAD5d01 11/20/2006 6:07 PM 228.16 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\8209EAD5d01 11/20/2006 6:07 PM 228.05 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\8929BD21d01 11/20/2006 6:04 PM 18.43 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\94621097d01 11/20/2006 5:59 PM 29.51 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\A6B6104Cd01 11/20/2006 6:00 PM 44.44 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\B2E6B6ABd01 11/20/2006 5:59 PM 57.68 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\C190AA86d01 11/20/2006 5:59 PM 59.25 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\CBEC59F8d01 11/20/2006 6:04 PM 21.63 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\E7AC8E62d01 11/20/2006 6:05 PM 74.52 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\F59FECCCd01 11/20/2006 5:59 PM 43.63 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\F927B9E5d01 11/20/2006 6:05 PM 28.74 KB Hidden from Windows API.
C:\Documents and Settings\OMGlaptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\ppvxj2wl.default\Cache\FF4F2942d01 11/20/2006 6:04 PM 64.42 KB Hidden from Windows API.
C:\RECYCLER\S-1-5-21-1390067357-1957994488-1629325827-1003\Dc1.exe 11/10/2006 4:23 PM 16.70 MB Hidden from Windows API.




_________________________________________END__________________________________________

Edited by sportshealer, 21 November 2006 - 02:27 PM.


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 09:22 AM

Hello,

Most malware is gone here though..
Don't worry about the results from rootkitrevealer - this doesn't mean you have a rootkit present, because you don't. You were just surfing the net, used combofix, AVG, Hijackthis in between while scanning with rootkit revealer and that explains the results in the log.

Let's clean some leftovers first and then we'll fix your Windows Firewall.

However, I do have some remarks though... You have Zonealarm installed. keep in mind, when installing Zonealarm, it automatically disables your Windows Firewall, because both running is a bad idea. That's why Zonealarm disables it.
Anyway, it looks like you can't access Windows Firewall at all.

Another note, I note in your log that you have FlashGet the download manager -
Be aware that the trial copy bundles Cydoor adware, but when you register the Ads disappear. So in case you didn't buy Flashget, I strongly recommend you uninstall it.
To remove the program: Go to Start > Settings > Control Panel > Add/Remove Programs and remove it.

I also see you most probably tweaked a few settings via policies. For example, your username in your startmenu doesn't appear, no saving of shortcuts to documents you recently opened, shortcuts in the documents menu that you opened recently get deleted when you log off etc.
So if you're not aware of these policies being set - let me know. But I am almost sure you set these policies, because no malware is responsible for that.

Delete next 0 bytes file:

C:\mbbewinj.exe

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)
(this should also deal with policies that may be set for your Windows firewall - to disable it with a policy - mainly malware does this)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, concerning the Firewall issue..

1. go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.
If this doesn't work, go to step 2.

2. Go to start > run and copy and paste next command in the field:

services.msc

Search in the list for Windows Firewall/Internet Connection Sharing (ICS) <== if this isn't present, go to step 3.

Click "stop" there.
click OK and close the window.

Then go back to your Controlpanel and click: Windows Firewall
You should get an error then.. telling you that the service Windows Firewall/Internet Connection Sharing (ICS) is disabled/stopped and if you want to enable/start it.
Click Yes/ok
So the service should be started again and you will be able to change settings in it.

3. (Only perform this if previous steps failed)
Download this regfix:
http://windowsxp.mvps.org/reg/sharedaccess.reg
Place it on your desktop.
Now doubleclick sharedaccess.reg
Ckick yes/ok at the prompt.

Then REBOOT!! Important!

After reboot, go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sportshealer

sportshealer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 November 2006 - 12:43 PM

Hi Miekiemoes,

Thank you for your prompt reply and help :thumbsup: . So I do not have a rootkit? I use my computer to do online banking, paypal, and other financial transactions and am worried that some keylogger will steal my info without me knowing.

I have a registered version of Flashgot and never have pop up ads so is it ok to leave it?

I deleted that 0 Kb file.

Had to proceed to step 3 of the firewall fix before it worked. No my Windows XP firewall is back on! :flowers: Thank you! Do you have any recommendations on firewalls? I've heard that windows firewall is not that good.

Cheers,

Sportshealer

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 12:56 PM

Hello,

No, as I already said.. it doesn't mean because rootkitrevealer displays entries that you are dealing with a rootkit.
What rootkitrevealer does is.. it compares the results of a system scan at the highest level with that at the lowest level. When you open programs in between, surf in between or perform anything else in between, rootkitrevealer sees these files as well and that why it displays them.

Good the firewall issue is solved.

Do you have any recommendations on firewalls? I've heard that windows firewall is not that good.

Well, you already have Zonealarm. This is also a firewall.
Do not install more than one firewall on your system, or you will have a lot of problems. That's also the reason when you install a desktop firewall (like zonealarm), it disables the windows firewall.
In case you want to install another desktop firewall, make sure you uninstall Zonealarm first.

read in my signature under Firewalls for the ones I recommend.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sportshealer

sportshealer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 November 2006 - 01:09 PM

I understand that the Rootkit revealer may show other activity and list it as a mismatch, etc. I guess I'm just looking for some confirmation that I'm essentially safe to use my password sensitive webpages (i.e. bank acct. etc.) again without worrying that my data is getting sent off to India or something.

Also, you mentioned in the first line of your first reply the following...

"Most malware is gone here though.."

When you say most what is still there? I want it ALL to be gone. Please advise.

In regards to the policies I had changed, I use a program called WinXP manager to tweak my system.

Thanks again,

Sportshealedr

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 01:24 PM

Hi,

When you say most what is still there? I want it ALL to be gone. Please advise.

Trust me, when I see malware related entries in logs, I won't leave them there, but tell you to delete it :thumbsup:

I was referring to that entry you disabled previously in msconfig (winupdates)+ the 0 bytes file + the fact you had Flashget installed (in case you used the unregistered version). That's what I meant with most is gone, just some leftovers. But we dealed with that.

Extra note though.. concerning the winupdates entry you disabled previously..
This was related with a worm.. and this worm was responsible for starting your Limewire and download and share infected zip and rar files to a folder called complete. This is a hidden folder and is present under your Userprofile (C:\Documents and Settings\OMGlaptop).
But I don't see any references anymore to it in your combofixlog. The only reference I saw was that entry you disabled via msconfig.
Every scanner can deal with this infection and I am pretty sure every related file is deleted now.
But if you are still unsure, you can always perform next step (this deals with any leftover that may still be present):


* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sportshealer

sportshealer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 November 2006 - 02:05 PM

Ok, thank you for the reassurance :thumbsup: . I ran Brute Force Uninstaller. Are there any other processes I need to do to assure that my computer is officially disinfected?

Cheers,

Sportshealer

P.S. I jus perused the URL you told me to paste in the BFU, very long log file. Are these all the files that were deleted off of my pc after BFU ran???? :flowers:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 02:42 PM

P.S. I jus perused the URL you told me to paste in the BFU, very long log file. Are these all the files that were deleted off of my pc after BFU ran????

Yes, in case if they were present :thumbsup:
The Alcanshorty script won't delete any legit files and keys, so don't worry.

Are there any other processes I need to do to assure that my computer is officially disinfected

Perform a full scan with an updated AVG to get rid of the leftovers if still present. But most probably this scan will come up clean already :flowers:

As an extra note..
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
And, it wouldn't hurt either to clean your temp files, cookies etc..
To do this, perform next:

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 sportshealer

sportshealer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 November 2006 - 04:34 PM

Ok, ran full AVG scan, you were right, NOTHING! Sweet. I also ran Spybot and AdAware, just some cookies came up, no malware, viruses, etc.

I tried to download the latest Java as you requested. I will have to try again later because Sun Microsystems java updates is down for maintenance.

If I can get my Mcafee Total Protection service back would you recommend that over the AVG free scanner? My company has 15 paid Mcafee Total Protection accounts. Mine was wiped out by that virus I got.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 04:46 PM

McAfee is ofcourse more powerful that AVG Free, but! it slows down your system a lot. So in case your system can deal with this heavy package and you don't have any problems with it, reinstall it again.

The reason I am telling you this is because recently a lot of users are having problems after updating their mcafee. You may want to read this thread I posted in recently:
http://www.bleepingcomputer.com/forums/ind...showtopic=66713
I also give some links to other threads there where users are having a lot of problems after updating McAfee.
However, in case it was a bug in McAfee or anything else that was causing this, or an incompatibility issue, they could have already fixed that in a later update.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 sportshealer

sportshealer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 November 2006 - 05:51 PM

Ok, I uninstalled my old Java and installed the new JRE 5.0 update 9. I also uninstalled Zone Alarm Trial since we got my WinXP version running again.

It seems that according to the threads you sent me regarding Mcafee that either Mcafee or Microsoft may be the culprit for actually delivering the Malware/viruses on a computer. Is this the case?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 06:17 PM

Not sure where you've read that Microsoft or Mcafee deliver malware on a computer..
My point was that some user did experience problems after updating their McAfee. This hasn't anything to do with malware :thumbsup:
But those problems are most probably already fixed.

Anyway....

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
How to use SpywareBlaster

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

Make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :flowers:

Edited by miekiemoes, 21 November 2006 - 06:18 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 sportshealer

sportshealer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 November 2006 - 06:34 PM

Thanks a lot for your help! I feel much more confident that my security and privacy have been resotored. Thank you again!!! :huh: :huh: :huh: :huh: :huh: :thumbsup:



Cheers, :flowers:

Sportshealer

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 21 November 2006 - 06:37 PM

You're most welcome :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending me or the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by miekiemoes, 21 November 2006 - 06:37 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users