There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
audio avg avg 8 bios boot browser bsod computer cpu crash css dell desktop driver dvd email error excel explorer firefox firefox 3 freeze game graphics hard drive hardware help please hijackthis hjt install internet internet explorer itunes javascript lan laptop malware missing monitor msn network networking openoffice outlook outlook 2003 outlook express php popups problem problems router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows vista windows xp winxp wireless word
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: Explorer crushes, Internet Explorer popups and error messages


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
lfojupiter's Avatar
Computer Specs
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
10-May-2008, 09:05 AM #1
Solved: Explorer crushes, Internet Explorer popups and error messages
Hello everyone and thank you for participating in this wonderful site.

My computer is a Pentium 4, 2.80 GHz, Running Windows XP Proffessional Version 2002 Service Pack 2.


The problem I'm writing about has been there for about a year. All in all it's the same prolem ever since, but every once in a while some detail changes, like a new error message.
Every about 5-15 minutes the Start Menu Taskbar and the desktop icons disappear (Explorer crushes). Most of the times they reappear shortly after, but sometimes they don't, and then I use task manager to run explorer and then they reappear. Yet, sometimes the computer stucks altogether, and I have to restart. In addition to that, many popups open when I surfe the web using Internet Explorer. The popup changes every few days, but in between it's always the same one.
Another point is that while the crushing of explorer can occur anytime, it most often occurs while I open or close Internet Explorer windows.

Sometimes I get an error message, and as I said, they change from time to time. But still, here are 2:

rundll32.exe - Application Error

The instruction at "0x74725956" referenced memory at "0x00a10004". The memory could not be "read".

Click on ok to terminate program.
Click on cancel to debug the program.


Another error message:

Microsoft Visual C++ Runtime Library


Buffer overrun detected!

Program: C:\WINDOWS\explorer.exe

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.




As I said, the problem first appeared about a year ago. Back than I had a firewall working but had no antivirus. Now I have an antivirus NOD32 installed, and when I run it it finds some problems it can't fix. And it also pops up sometimes about threats that are currently running, and I can choose to terminate or delete them, but it doesn't solve the problem either. Several anti malware programs got similar results.
I found a post with a similar problem that was solved. Its title is: "Solved: Taskbar and Desktop Icons Gone and Can't Get Rid of Virus' or Malware??? Not sure" by Sweetsherry. But the solution is very specific for that user, and I can't apply it on my computer.

On that post it seemed important to post the log of HijackThis, so I will also post mine:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:56, on 10/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\wincmd - new\TOTALCMD.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Download\Try 2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BM13378bcf] Rundll32.exe "C:\WINDOWS\system32\ygnjulop.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [1004b853] rundll32.exe "C:\WINDOWS\system32\ycfadxoo.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Babylon.lnk = C:\Program Files\Babylon\Babylon.exe
O4 - Global Startup: Total Commander.lnk = C:\Program Files\wincmd - new\TOTALCMD.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE9CB3DC-42D5-4909-876D-F55CD4D44C0F}: NameServer = 212.150.49.10 62.90.42.110
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5127 bytes


And again, thanks a lot for your help.
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,013 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
10-May-2008, 06:56 PM #2
Welcome to TSG


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
My Blog
Microsoft Valuable Professional Consumer--Security 2007-2009
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Concerned about Browser Security!!! Consider Mozilla Firefox 3.0 and NoScript
Operating System Ubuntu Gusty Gibbon 7.10
lfojupiter's Avatar
Computer Specs
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
11-May-2008, 06:33 AM #3
Thank you for your help.

Combofix log:

ComboFix 08-05-09.1 - haim 05/11/2008 13:14:10.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.56 [GMT 3:00]
Running from: C:\Documents and Settings\haim\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\My Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\005EA6F5\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0291C94F\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Videos\Desktop_.ini
C:\Program Files\MyWay
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\SrchAstt\Cache\001169A4
C:\Program Files\MyWay\SrchAstt\Cache\003A8D90
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\akhdqkdk.ini
C:\WINDOWS\system32\alueblmi.ini
C:\WINDOWS\system32\asbsvwrk.ini
C:\WINDOWS\system32\birfdytr.dll
C:\WINDOWS\system32\bkqusnlh.ini
C:\WINDOWS\system32\bnuxhvop.dll
C:\WINDOWS\system32\bshvtfaa.ini
C:\WINDOWS\system32\bxceetew.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cggtckmd.dll
C:\WINDOWS\system32\crqpekyv.ini
C:\WINDOWS\system32\cspyirpv.ini
C:\WINDOWS\system32\csxvcdmf.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\dhoxqvia.dll
C:\WINDOWS\system32\dylwpdhf.ini
C:\WINDOWS\system32\eabnfnbo.dll
C:\WINDOWS\system32\efguvmyl.dll
C:\WINDOWS\system32\ehvbagmq.dll
C:\WINDOWS\system32\ekoefaqs.ini
C:\WINDOWS\system32\eqnvpnsg.dll
C:\WINDOWS\system32\evkssxfy.dll
C:\WINDOWS\system32\fhdpwlyd.dll
C:\WINDOWS\system32\fjlsesiw.dll
C:\WINDOWS\system32\fmbjqmyd.dll
C:\WINDOWS\system32\fmilpbwx.dll
C:\WINDOWS\system32\fwhgkqct.ini
C:\WINDOWS\system32\gamhwkqd.ini
C:\WINDOWS\system32\ggnrehdg.ini
C:\WINDOWS\system32\hjwgtuod.dll
C:\WINDOWS\system32\hwulmdqa.dll
C:\WINDOWS\system32\idtnjjvv.dll
C:\WINDOWS\system32\ileorywv.dll
C:\WINDOWS\system32\imcdjelc.ini
C:\WINDOWS\system32\imgqoktm.dll
C:\WINDOWS\system32\jarabifc.dll
C:\WINDOWS\system32\jgdywwsw.dll
C:\WINDOWS\system32\kcfvcmsn.dll
C:\WINDOWS\system32\kispbgnn.dll
C:\WINDOWS\system32\klmwfedk.dll
C:\WINDOWS\system32\kmcvsfam.ini
C:\WINDOWS\system32\kqrqqmux.dll
C:\WINDOWS\system32\lcosgjth.dll
C:\WINDOWS\system32\lgneevtr.dll
C:\WINDOWS\system32\llglaguu.dll
C:\WINDOWS\system32\lmefukks.ini
C:\WINDOWS\system32\loxbivmp.ini
C:\WINDOWS\system32\lwaieuiw.ini
C:\WINDOWS\system32\lymvugfe.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljlmftv.ini
C:\WINDOWS\system32\mpcopgwt.dll
C:\WINDOWS\system32\mpgwgmjr.ini
C:\WINDOWS\system32\mpvwwrhb.ini
C:\WINDOWS\system32\mqnywogs.dll
C:\WINDOWS\system32\mremcngy.ini
C:\WINDOWS\system32\mxbdjhys.dll
C:\WINDOWS\system32\mxkbrrfb.dll
C:\WINDOWS\system32\ncxnnfsp.dll
C:\WINDOWS\system32\nngbpsik.ini
C:\WINDOWS\system32\nrnoqhkm.dll
C:\WINDOWS\system32\nsmcvfck.ini
C:\WINDOWS\system32\ohppxlrf.dll
C:\WINDOWS\system32\ooxdafcy.ini
C:\WINDOWS\system32\oqdfeikk.dll
C:\WINDOWS\system32\orucfdsu.ini
C:\WINDOWS\system32\pgwobdwh.dll
C:\WINDOWS\system32\pjrxpdgr.dll
C:\WINDOWS\system32\pknyfdue.dll
C:\WINDOWS\system32\pqfeinnp.dll
C:\WINDOWS\system32\ptmjarpv.dll
C:\WINDOWS\system32\qfqguuan.dll
C:\WINDOWS\system32\qteadogt.ini
C:\WINDOWS\system32\qxdiydtc.dll
C:\WINDOWS\system32\rjrcaqjp.dll
C:\WINDOWS\system32\shfcdurg.dll
C:\WINDOWS\system32\shsbulnn.dll
C:\WINDOWS\system32\sqafeoke.dll
C:\WINDOWS\system32\tckypwgy.dll
C:\WINDOWS\system32\tcqkghwf.dll
C:\WINDOWS\system32\tgodaetq.dll
C:\WINDOWS\system32\trovjrcn.dll
C:\WINDOWS\system32\tsafxxbu.dll
C:\WINDOWS\system32\unxogebw.dll
C:\WINDOWS\system32\vidhaywt.dll
C:\WINDOWS\system32\vprajmtp.ini
C:\WINDOWS\system32\vutyfrja.dll
C:\WINDOWS\system32\wbegoxnu.ini
C:\WINDOWS\system32\wbownsul.ini
C:\WINDOWS\system32\wjwogjgh.dll
C:\WINDOWS\system32\wnrokqss.dll
C:\WINDOWS\system32\xwbplimf.ini
C:\WINDOWS\system32\ycfadxoo.dll
C:\WINDOWS\system32\ycvffnmf.dll
C:\WINDOWS\system32\ygncmerm.dll
C:\WINDOWS\system32\ygnjulop.dll
C:\WINDOWS\system32\ygwpykct.ini
C:\WINDOWS\system32\yncbqorw.dll
C:\WINDOWS\system32\yvkxushe.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 22:17 2,112 ----a-w C:\WINDOWS\system32\mkiobrih.exe
2008-05-09 22:16 2,112 ----a-w C:\WINDOWS\system32\moelrtit.exe
2008-05-09 22:00 --------- d-----w C:\Program Files\Java
2008-05-09 21:58 --------- d-----w C:\Program Files\Common Files\Java
2008-05-08 22:10 2,112 ----a-w C:\WINDOWS\system32\xpqygmmt.exe
2008-05-07 22:14 2,112 ----a-w C:\WINDOWS\system32\mfpsxpxv.exe
2008-05-06 22:11 2,112 ----a-w C:\WINDOWS\system32\wpwvwiuh.exe
2008-05-06 22:08 104,512 ----a-w C:\WINDOWS\system32\nwajfexs.dll
2008-05-04 22:04 104,512 ----a-w C:\WINDOWS\system32\chftwkff.dll
2008-04-30 15:59 --------- d-----w C:\Program Files\wincmd - new
2008-04-26 22:34 --------- d-----w C:\Program Files\Daemon
2008-04-22 15:28 97,856 ----a-w C:\WINDOWS\system32\ermhyrnp.dll
2008-04-21 15:27 97,344 ----a-w C:\WINDOWS\system32\lnfbqjeh.dll
2008-04-20 15:25 96,320 ----a-w C:\WINDOWS\system32\hfbfdnfb.dll
2008-04-16 23:05 95,808 ----a-w C:\WINDOWS\system32\counkylh.dll
2008-04-14 18:31 --------- d-----w C:\Program Files\DOSBox-0.72
2008-04-12 23:04 3,648 ----a-w C:\WINDOWS\system32\jgeuafdu.dll
2008-04-09 21:50 3,648 ----a-w C:\WINDOWS\system32\yyvnyphl.dll
2008-04-08 21:26 3,648 ----a-w C:\WINDOWS\system32\ltaupifu.dll
2008-04-02 21:07 88,128 ----a-w C:\WINDOWS\system32\btivtluc.dll
2008-03-31 21:05 91,712 ----a-w C:\WINDOWS\system32\rabljsbw.dll
2008-03-29 21:07 90,176 ----a-w C:\WINDOWS\system32\yrvurfsx.dll
2008-03-29 21:01 86,592 ----a-w C:\WINDOWS\system32\qvcbnoup.dll
2008-03-26 18:12 92,736 ----a-w C:\WINDOWS\system32\byvjuyqp.dll
2008-03-24 21:16 93,248 ----a-w C:\WINDOWS\system32\ryitsqvk.dll
2008-03-23 21:13 92,736 ----a-w C:\WINDOWS\system32\kryjbpuk.dll
2008-03-22 21:10 86,592 ----a-w C:\WINDOWS\system32\aydnleix.dll
2008-03-16 20:50 99,904 ----a-w C:\WINDOWS\system32\ocwbbuuv.dll
2008-03-12 20:35 93,760 ----a-w C:\WINDOWS\system32\ehjgbrgi.dll
2008-03-11 20:36 93,248 ----a-w C:\WINDOWS\system32\vykmxiuh.dll
2008-03-09 20:24 89,664 ----a-w C:\WINDOWS\system32\ivgluiiy.dll
2008-03-08 20:30 92,224 ----a-w C:\WINDOWS\system32\xnnqggth.dll
2008-03-05 21:13 96,832 ----a-w C:\WINDOWS\system32\vagjmfoe.dll
2008-03-05 21:04 91,712 ----a-w C:\WINDOWS\system32\agfxgjpr.dll
2008-03-03 21:11 95,296 ----a-w C:\WINDOWS\system32\aouglbfu.dll
2008-03-01 21:00 91,712 ----a-w C:\WINDOWS\system32\cbbgjgqd.dll
2008-02-28 15:13 91,712 ----a-w C:\WINDOWS\system32\nbdyqhvv.dll
2008-02-26 20:51 94,784 ----a-w C:\WINDOWS\system32\njwblkmp.dll
2008-02-20 20:01 94,784 ----a-w C:\WINDOWS\system32\nkkwsbfi.dll
2008-02-20 19:58 91,712 ----a-w C:\WINDOWS\system32\oylfenuq.dll
2008-02-19 20:01 89,152 ----a-w C:\WINDOWS\system32\dcguaxmv.dll
2008-02-18 20:05 93,248 ----a-w C:\WINDOWS\system32\awcbobeo.dll
2008-02-16 19:58 92,736 ----a-w C:\WINDOWS\system32\vaijuitc.dll
2008-01-13 18:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2004-10-01 12:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-05-21 14:07 47,920 ----a-w C:\Documents and Settings\haim\Application Data\GDIPFONTCACHEV1.DAT
2004-05-08 08:13 49,152 --sha-w C:\WINDOWS\lbbho.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57ff2ff7-c87f-460d-94f5-b83f0ca00291}]
C:\WINDOWS\system32\vstmskqi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360]
"PowerBar"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/03/2007 10:24 PM 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM 286720]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01/26/2008 11:47 PM 950664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [08/04/2004 12:56 AM 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [07/13/2004 04:19 PM 95352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [08/04/2004 12:56 AM 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-12-19 19:34:52 28672]
Babylon.lnk - C:\Program Files\Babylon\Babylon.exe [2004-11-03 20:38:17 2052173]
Total Commander.lnk - C:\Program Files\wincmd - new\TOTALCMD.EXE [2008-04-30 18:59:05 1075144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlkli]
qomlkli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= ucdvfw.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
--a------ 05/13/2007 04:57 PM 5308416 C:\Program Files\eMule\emule.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule-UDP

R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [06/10/2007 04:48 PM]
R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [03/12/2007 04:26 PM]
S3 DCamUSBPA;PC-Camera (6029);C:\WINDOWS\system32\DRIVERS\snpcp106.sys [05/16/2002 03:38 PM]
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [11/29/2001 04:10 PM]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [01/26/2004 08:42 PM]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 00:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 13:23:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
.
**************************************************************************
.
Completion time: 05/11/2008 13:26:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-11 10:26:16

Pre-Run: 3,925,622,784 bytes free
Post-Run: 4,238,213,120 bytes free

265 --- E O F --- 2007-11-19 01:45:16



HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:16, on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\wincmd - new\TOTALCMD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Download\Try 2\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: {19200ac0-f38b-5f49-d064-f78c7ff2ff75} - {57ff2ff7-c87f-460d-94f5-b83f0ca00291} - C:\WINDOWS\system32\vstmskqi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Babylon.lnk = C:\Program Files\Babylon\Babylon.exe
O4 - Global Startup: Total Commander.lnk = C:\Program Files\wincmd - new\TOTALCMD.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: qomlkli - qomlkli.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5645 bytes
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,013 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
11-May-2008, 04:55 PM #4
Download the attached file CFScript.txt to your Desktop




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!



=======================================


Please download ATF Cleaner by Atribune.

This program is for XP, Windows 2000, and Vista
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu.



========================================


Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
Attached Files
File Type: txt CFScript.txt (1.6 KB, 8 views)
__________________
My Blog
Microsoft Valuable Professional Consumer--Security 2007-2009
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Concerned about Browser Security!!! Consider Mozilla Firefox 3.0 and NoScript
Operating System Ubuntu Gusty Gibbon 7.10
lfojupiter's Avatar
Computer Specs
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
11-May-2008, 06:28 PM #5
Ever since I ran ComboFix, my computer got much much better. Explorer doesn't crash anymore, and I don't get any popups while using Internet Explorer. Is it still necessary to take all the steps you wrote about? Do they carry any risks?

Thanks a lot for your help.
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,013 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
11-May-2008, 07:51 PM #6
Well it may seem good, but there is malware still present on your machine. But, if you feel that its fixed then by all means mark it solved.
lfojupiter's Avatar
Computer Specs
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
12-May-2008, 12:44 PM #7
I did as you instructed.

Combofix report:

ComboFix 08-05-09.1 - haim 05/12/2008 19:08:00.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.57 [GMT 3:00]
Running from: C:\Documents and Settings\haim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\haim\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\ezsid.dat
C:\Program Files\Uninstall_CDS.exe
C:\WINDOWS\lbbho.dll
C:\WINDOWS\system32\agfxgjpr.dll
C:\WINDOWS\system32\aouglbfu.dll
C:\WINDOWS\system32\awcbobeo.dll
C:\WINDOWS\system32\aydnleix.dll
C:\WINDOWS\system32\btivtluc.dll
C:\WINDOWS\system32\byvjuyqp.dll
C:\WINDOWS\system32\cbbgjgqd.dll
C:\WINDOWS\system32\chftwkff.dll
C:\WINDOWS\system32\counkylh.dll
C:\WINDOWS\system32\dcguaxmv.dll
C:\WINDOWS\system32\ehjgbrgi.dll
C:\WINDOWS\system32\ermhyrnp.dll
C:\WINDOWS\system32\hfbfdnfb.dll
C:\WINDOWS\system32\ivgluiiy.dll
C:\WINDOWS\system32\jgeuafdu.dll
C:\WINDOWS\system32\kryjbpuk.dll
C:\WINDOWS\system32\lnfbqjeh.dll
C:\WINDOWS\system32\ltaupifu.dll
C:\WINDOWS\system32\mfpsxpxv.exe
C:\WINDOWS\system32\mkiobrih.exe
C:\WINDOWS\system32\moelrtit.exe
C:\WINDOWS\system32\nbdyqhvv.dll
C:\WINDOWS\system32\njwblkmp.dll
C:\WINDOWS\system32\nkkwsbfi.dll
C:\WINDOWS\system32\nwajfexs.dll
C:\WINDOWS\system32\ocwbbuuv.dll
C:\WINDOWS\system32\oylfenuq.dll
C:\WINDOWS\system32\qvcbnoup.dll
C:\WINDOWS\system32\rabljsbw.dll
C:\WINDOWS\system32\ryitsqvk.dll
C:\WINDOWS\system32\vagjmfoe.dll
C:\WINDOWS\system32\vaijuitc.dll
C:\WINDOWS\system32\vykmxiuh.dll
C:\WINDOWS\system32\wpwvwiuh.exe
C:\WINDOWS\system32\xnnqggth.dll
C:\WINDOWS\system32\xpqygmmt.exe
C:\WINDOWS\system32\yrvurfsx.dll
C:\WINDOWS\system32\yyvnyphl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ezsid.dat
C:\Program Files\Uninstall_CDS.exe
C:\WINDOWS\lbbho.dll
C:\WINDOWS\system32\agfxgjpr.dll
C:\WINDOWS\system32\aouglbfu.dll
C:\WINDOWS\system32\awcbobeo.dll
C:\WINDOWS\system32\aydnleix.dll
C:\WINDOWS\system32\btivtluc.dll
C:\WINDOWS\system32\byvjuyqp.dll
C:\WINDOWS\system32\cbbgjgqd.dll
C:\WINDOWS\system32\chftwkff.dll
C:\WINDOWS\system32\counkylh.dll
C:\WINDOWS\system32\dcguaxmv.dll
C:\WINDOWS\system32\ehjgbrgi.dll
C:\WINDOWS\system32\ermhyrnp.dll
C:\WINDOWS\system32\hfbfdnfb.dll
C:\WINDOWS\system32\ivgluiiy.dll
C:\WINDOWS\system32\jgeuafdu.dll
C:\WINDOWS\system32\kryjbpuk.dll
C:\WINDOWS\system32\lnfbqjeh.dll
C:\WINDOWS\system32\ltaupifu.dll
C:\WINDOWS\system32\mfpsxpxv.exe
C:\WINDOWS\system32\mkiobrih.exe
C:\WINDOWS\system32\moelrtit.exe
C:\WINDOWS\system32\nbdyqhvv.dll
C:\WINDOWS\system32\njwblkmp.dll
C:\WINDOWS\system32\nkkwsbfi.dll
C:\WINDOWS\system32\nwajfexs.dll
C:\WINDOWS\system32\ocwbbuuv.dll
C:\WINDOWS\system32\oylfenuq.dll
C:\WINDOWS\system32\qvcbnoup.dll
C:\WINDOWS\system32\rabljsbw.dll
C:\WINDOWS\system32\ryitsqvk.dll
C:\WINDOWS\system32\vagjmfoe.dll
C:\WINDOWS\system32\vaijuitc.dll
C:\WINDOWS\system32\vykmxiuh.dll
C:\WINDOWS\system32\wpwvwiuh.exe
C:\WINDOWS\system32\xnnqggth.dll
C:\WINDOWS\system32\xpqygmmt.exe
C:\WINDOWS\system32\yrvurfsx.dll
C:\WINDOWS\system32\yyvnyphl.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 22:00 --------- d-----w C:\Program Files\Java
2008-05-09 21:58 --------- d-----w C:\Program Files\Common Files\Java
2008-04-30 15:59 --------- d-----w C:\Program Files\wincmd - new
2008-04-26 22:34 --------- d-----w C:\Program Files\Daemon
2008-04-14 18:31 --------- d-----w C:\Program Files\DOSBox-0.72
2004-05-21 14:07 47,920 ----a-w C:\Documents and Settings\haim\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\DOSBox-0.72 ----

08/26/2007 09:33 PM 874 --a------ C:\Program Files\DOSBox-0.72\THANKS.txt
08/26/2007 09:33 PM 46929 --a------ C:\Program Files\DOSBox-0.72\README.txt
08/26/2007 09:33 PM 3611 --a------ C:\Program Files\DOSBox-0.72\INSTALL.txt
08/26/2007 09:33 PM 24551 --a------ C:\Program Files\DOSBox-0.72\NEWS.txt
08/26/2007 09:33 PM 243 --a------ C:\Program Files\DOSBox-0.72\AUTHORS.txt
08/26/2007 09:33 PM 18332 --a------ C:\Program Files\DOSBox-0.72\COPYING.txt
08/26/2007 09:14 PM 3200000 --a------ C:\Program Files\DOSBox-0.72\dosbox.exe
08/26/2007 09:06 PM 7351 --a------ C:\Program Files\DOSBox-0.72\dosbox.conf
08/17/2007 08:45 PM 13312 --a------ C:\Program Files\DOSBox-0.72\SDL_net.dll
08/17/2007 08:44 PM 331776 --a------ C:\Program Files\DOSBox-0.72\SDL.dll
07/30/2007 11:08 AM 1608 --a------ C:\Program Files\DOSBox-0.72\zmbv\README.txt
04/14/2008 09:31 PM 35296 --a------ C:\Program Files\DOSBox-0.72\uninstall.exe
03/02/2007 01:44 PM 94208 --a------ C:\Program Files\DOSBox-0.72\zmbv\zmbv.dll
03/02/2007 01:04 PM 2103 --a------ C:\Program Files\DOSBox-0.72\zmbv\zmbv.inf

---- Directory of C:\Program Files\wincmd - new ----

11/01/2006 02:44 AM 163 --a------ C:\Program Files\wincmd - new\_patch.bat
09/14/2007 12:00 AM 977 --a------ C:\Program Files\wincmd - new\DEFAULT.BAR
09/14/2007 12:00 AM 26 --a------ C:\Program Files\wincmd - new\NO.BAR
09/14/2007 07:02 AM 9475 --a------ C:\Program Files\wincmd - new\KEYBOARD.TXT
09/14/2007 07:02 AM 843 --a------ C:\Program Files\wincmd - new\TOTALCMD.EXE.MANIFEST
09/14/2007 07:02 AM 7888 --a------ C:\Program Files\wincmd - new\CGLPTNT.SYS
09/14/2007 07:02 AM 77312 --a------ C:\Program Files\wincmd - new\UNACEV2.DLL
09/14/2007 07:02 AM 7680 --a------ C:\Program Files\wincmd - new\FRERES32.DLL
09/14/2007 07:02 AM 7259 --a------ C:\Program Files\wincmd - new\CGLPT9X.VXD
09/14/2007 07:02 AM 67264 --a------ C:\Program Files\wincmd - new\TCMADMIN.EXE
09/14/2007 07:02 AM 639360 --a------ C:\Program Files\wincmd - new\WCMICONS.DLL
09/14/2007 07:02 AM 565977 --a------ C:\Program Files\wincmd - new\TOTALCMD.HLP
09/14/2007 07:02 AM 5111 --a------ C:\Program Files\wincmd - new\LANGUAGE\WCMD_ENG.MNU
09/14/2007 07:02 AM 43008 --a------ C:\Program Files\wincmd - new\CABRK.DLL
09/14/2007 07:02 AM 37888 --a------ C:\Program Files\wincmd - new\SFXHEAD.SFX
09/14/2007 07:02 AM 3516 --a------ C:\Program Files\wincmd - new\REGISTER.RTF
09/14/2007 07:02 AM 335040 --a------ C:\Program Files\wincmd - new\HISTORY.TXT
09/14/2007 07:02 AM 33280 --a------ C:\Program Files\wincmd - new\TCUNINST.EXE
09/14/2007 07:02 AM 3328 --a------ C:\Program Files\wincmd - new\WC32TO16.EXE
09/14/2007 07:02 AM 2902984 --a------ C:\Program Files\wincmd - new\TOTALCMD.EXE.BAK
09/14/2007 07:02 AM 2106 --a------ C:\Program Files\wincmd - new\SHARE_NT.EXE
09/14/2007 07:02 AM 19743 --a------ C:\Program Files\wincmd - new\TOTALCMD.INC
09/14/2007 07:02 AM 1568 --a------ C:\Program Files\wincmd - new\WCMICONS.INC
09/14/2007 07:02 AM 136704 --a------ C:\Program Files\wincmd - new\UNRAR.DLL
09/14/2007 07:02 AM 1214 --a------ C:\Program Files\wincmd - new\descript.ion
09/14/2007 07:02 AM 1176 --a------ C:\Program Files\wincmd - new\TCUNINST.WUL
09/14/2007 07:02 AM 106 --a------ C:\Program Files\wincmd - new\WCUNINST.WUL
09/14/2007 07:02 AM 102400 --a------ C:\Program Files\wincmd - new\TCUNZLIB.DLL
06/06/2006 05:25 PM 199168 --a------ C:\Program Files\wincmd - new\upx.exe
04/30/2008 07:03 PM 1024 --a------ C:\Program Files\wincmd - new\wincmd.key
04/30/2008 07:02 PM 32768 --a------ C:\Program Files\wincmd - new\WCMZIP32.DLL
04/30/2008 07:02 PM 1075144 --a------ C:\Program Files\wincmd - new\TOTALCMD.EXE
02/27/2007 01:38 PM 32256 --a------ C:\Program Files\wincmd - new\patch.exe


((((((((((((((((((((((((((((( snapshot@Sun 05-11-2008_13.25.52.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 10:22:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-11 15:45:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-11-19 13:28:30 57,208 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-11 19:37:04 57,208 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-19 13:28:30 388,914 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-11 19:37:04 388,914 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360]
"PowerBar"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/03/2007 10:24 PM 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM 286720]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01/26/2008 11:47 PM 950664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [08/04/2004 12:56 AM 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [07/13/2004 04:19 PM 95352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [08/04/2004 12:56 AM 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-12-19 19:34:52 28672]
Babylon.lnk - C:\Program Files\Babylon\Babylon.exe [2004-11-03 20:38:17 2052173]
Total Commander.lnk - C:\Program Files\wincmd - new\TOTALCMD.EXE [2008-04-30 18:59:05 1075144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= ucdvfw.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
--a------ 05/13/2007 04:57 PM 5308416 C:\Program Files\eMule\emule.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4672:UDP"= 4672:UDP:eMule-UDP

R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [06/10/2007 04:48 PM]
R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [03/12/2007 04:26 PM]
S3 DCamUSBPA;PC-Camera (6029);C:\WINDOWS\system32\DRIVERS\snpcp106.sys [05/16/2002 03:38 PM]
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [11/29/2001 04:10 PM]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [01/26/2004 08:42 PM]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 00:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 19:10:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 05/12/2008 19:11:42
ComboFix-quarantined-files.txt 2008-05-12 16:11:40

Pre-Run: 4,320,706,560 bytes free
Post-Run: 4,341,825,536 bytes free

238 --- E O F --- 2007-11-19 01:45:16



MBAM Report:

Malwarebytes' Anti-Malware 1.12
Database version: 742

Scan type: Quick Scan
Objects scanned: 36348
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Fold ers\C:\Program Files\RegistrySmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Fold ers\C:\Program Files\RegistrySmart\Microsoft.VC80.MFC\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Fold ers\C:\Program Files\RegistrySmart\Microsoft.VC80.CRT\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\haim\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\haim\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\haim\Application Data\RegistrySmart\Log\2007 Sep 20 - 12_28_21 AM_671.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\haim\Application Data\RegistrySmart\Log\2007 Sep 20 - 12_28_23 AM_750.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.


Fresh HIjackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:55, on 12/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\wincmd - new\TOTALCMD.EXE
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Download\Try 2\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Babylon.lnk = C:\Program Files\Babylon\Babylon.exe
O4 - Global Startup: Total Commander.lnk = C:\Program Files\wincmd - new\TOTALCMD.EXE
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5439 bytes


And once again, thank you so much for your help.
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,013 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
12-May-2008, 01:32 PM #8
Do you know what these folders are??

DOSBox-0.72




How is everything running??
lfojupiter's Avatar
Computer Specs
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
12-May-2008, 05:32 PM #9
DOSBox-0.72 is a freeware that lets you run old DOS programs on windows. As far as I know there shouldn't be any problem with it, but I uninstalled it just to be on the safe side.

The computer is working much better now, with no internet explorer popups, no explorer crashes and no error messages. Before I took the last actions you instructed there were a few messeges from the anti-virus that it found viruses, but since I ran ATF Cleaner and Malwarebytes Anti-Malware, I didn't get any of those as well, and the computer is just great.
lfojupiter's Avatar
Computer Specs
Junior Member with 6 posts.
  
Join Date: May 2008
Experience: Intermediate
14-May-2008, 09:42 AM #10
Well, I didn't understand.

Do you think the problem is solved?
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,013 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
14-May-2008, 11:47 AM #11
I was just curious. Since everything is running well, lets finish up.


Go to Start ---> Run ---> Type ComboFix /u and press Enter .


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.




Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  2. Here are two great Preventive programs:
    1. SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    2. IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  3. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    1. Red for Warning
    2. Yellow for Use Caution
    3. Green for Safe
    4. Grey for Unknown

    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  4. Anti-Spyware Programs I Recommend:
    • Free Anti-Spyware Programs
    1. Lavasoft's Ad-Aware SE Personal
    2. Windows Defender
  5. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place
__________________
My Blog
Microsoft Valuable Professional Consumer--Security 2007-2009
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Concerned about Browser Security!!! Consider Mozilla Firefox 3.0 and NoScript
Operating System Ubuntu Gusty Gibbon 7.10
Reply

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)