1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: very stubborn Trojan

Discussion in 'Virus & Other Malware Removal' started by pauleolithic, Jun 29, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. pauleolithic

    pauleolithic Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    4
    I've been trying to remove a trojan from my system for quite awile now. It appeasers to be opening websites at will and I am concerned that it is bringing even more spyware onto my machine and it is really slowing things down. Plus I don't have unlimited downloading capabilities (you can't where I live) and I suspect that it is going to blow my account wide open. It shows up on AVG after a scan and then says it has been cleaned but after I rebott it shows up. It also shows 4 changes in the system32 folder: kernel32.dll, user32.dll, shell32.dll, and ntoskrnl.dll. I've scanned in Safe mode after scanning in normal and it finds it and removes it but then i reboot and there it is again.

    If anyone has any ideas of what it could be I would really appreciate the help. I'll post a HiJackThis log file.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 5:25:39 PM, on 6/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sstray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\mgrs.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Grisoft\AVG7\avgwb.dat
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HiJackThis\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [net32] C:\WINDOWS\svhost.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176355439218
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://access.alexcoresource.com/Remote/msrdp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7AEA5610-AE18-4850-AEC5-A53AA922007C}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D100B5B7-1757-4244-96EE-F43B7AC9061E}: NameServer = 85.255.115.60,85.255.112.136
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Help and Support helpsvcMSIServer (helpsvcMSIServer) - Unknown owner - C:\WINDOWS\system32\adsnth.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Automatic Updates wuauservWebClient (wuauservWebClient) - Unknown owner - C:\WINDOWS\system32\appmgmtsv.exe (file missing)

    --
    End of file - 6615 bytes
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, pauleolithic :)

    Welcome to TSG.

    Please print these instructions for reference, as you will have to restart your computer during the fix.

    Please download FixWareout from Here or Here.

    Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
    1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    2. The fix will begin; follow the prompts.
    3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
    4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    5. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.
    Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7AEA5610-AE18-4850-AEC5-A53AA922007C}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D100B5B7-1757-4244-96EE-F43B7AC9061E}: NameServer = 85.255.115.60,85.255.112.136
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0182C865-976E-4967-92E7-126063F870F3}: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222


    Click FIX CHECKED. Close HijackThis.
    1. Enter your Control Panel and double-click on Network Connections
    2. Then right click on your Default Connection
      • Usually Local Area Connection for Cable and DSL, or AOL Connection.
    3. Left click on Properties
    4. Double-Click on the Internet Protocol (TCP/IP) item
    5. Select the radio dial that says Obtain DNS Servers Automatically
    6. Press OK twice to get out of the properties screen
    7. Restart the computer
    Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

    ipconfig /flushdns (The space between g and / is needed)
    Exit

    Restart the computer.

    Download ComboFix from Here or Here to your Desktop.

    Note: In the event you already have Combofix, this is a new version that I need you to download.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
     
  3. pauleolithic

    pauleolithic Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    4
    Thanks, I really appreciate your help.

    Here is the Combofix log:

    ComboFix 07-06-18.2 - C:\Documents and Settings\Polywog\Desktop\ComboFix.exe
    "Polywog" - 2007-06-29 18:55:01 - Service Pack 2 NTFS


    ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


    2007-06-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-06-29 18:54 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-29 18:39 7,228 --a------ C:\dnsbak.reg
    2007-06-29 18:11 <DIR> d-------- C:\Program Files\STOPzilla!
    2007-06-29 18:11 <DIR> d-------- C:\Program Files\Common Files\iS3
    2007-06-29 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
    2007-06-29 18:10 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
    2007-06-29 18:09 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\WholeSecurity
    2007-06-29 15:05 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-06-23 14:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-06-23 14:08 <DIR> d-------- C:\Program Files\DBan
    2007-06-22 17:31 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\DivX
    2007-06-18 19:18 <DIR> d-------- C:\WINDOWS\system32\appmgmt
    2007-06-16 14:09 <DIR> d-------- C:\Program Files\QuickTime
    2007-06-16 11:31 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2007-06-16 11:31 <DIR> d-------- C:\WINDOWS\system32\PreInstall
    2007-06-16 11:30 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-06-16 11:26 43,352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-06-14 22:25 285 --a------ C:\kjaskd4a.exe
    2007-06-12 21:03 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-06-11 18:54 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Lavasoft
    2007-06-10 20:38 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\Leadertech
    2007-06-09 22:42 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Corel
    2007-06-04 21:21 <DIR> d-------- C:\WINDOWS\pss
    2007-05-31 22:16 361 --ahs---- C:\WINDOWS\system32\4109987059.dat


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-23 00:32:49 -------- d-----w C:\Program Files\Picasa2
    2007-06-16 20:45:49 -------- d-----w C:\Program Files\Messenger
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-29 18:46:24 -------- d-----w C:\Program Files\DivX
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-12 04:27:40 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2007-04-12 04:27:40 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2007-04-11 22:49:30 0 --sha-r C:\MSDOS.SYS
    2007-04-11 22:49:30 0 --sha-r C:\IO.SYS
    2007-04-11 22:49:30 0 ----a-w C:\CONFIG.SYS
    2007-04-11 22:49:30 0 ----a-w C:\AUTOEXEC.BAT
    2007-04-11 22:46:27 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nForce Tray Options"="sstray.exe" [2002-11-13 16:34 C:\WINDOWS\system32\sstray.exe]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 14:51]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 22:00]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-21 20:22]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


    Contents of the 'Scheduled Tasks' folder
    2007-06-14 02:48:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-29 18:56:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-29 18:56:38

    --- E O F ---

    Here is the HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 6:58:24 PM, on 6/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\sstray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HiJackThis\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176355439218
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://access.alexcoresource.com/Remote/msrdp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Help and Support helpsvcMSIServer (helpsvcMSIServer) - Unknown owner - C:\WINDOWS\system32\adsnth.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Automatic Updates wuauservWebClient (wuauservWebClient) - Unknown owner - C:\WINDOWS\system32\appmgmtsv.exe (file missing)

    --
    End of file - 5678 bytes


    And here is the FixWareout report:

    Fixwareout Last edited 6/27/2007
    Post this report in the forums please
    ...
    »»»»»Prerun check

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    »»»»» Postrun check
    ....
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EC63E9402EA4-49EB-9264-30EC-61AAA61D{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9170E92E237F-89CA-BFF4-CB6E-E1620B2D{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}013A885D2C40-7E08-2724-BF37-24E7515C{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}736A9C337B6C-B258-F934-9293-F829F489{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8583B6D1D9B5-9299-F544-7E05-31AE7194{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}95B9375D7312-0659-F2C4-18B3-4945B807{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}1C3401F91D91-1AB9-BDD4-E672-8F54DB55{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4CAAB1B79C0B-3709-F9D4-D53E-B08EA94A{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}72B7C06A6AFE-33DA-C424-5307-589503B5{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A876A28A3263-BD6A-02E4-02E7-F39F0306{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FD93C7BC1C50-542B-8154-A96C-884E41B6{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}AFDB726ED345-A849-DD74-8BB6-1DF83D6F{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C5518181F1C5-7648-82B4-C469-62FABF2D{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BC544C531C01-CC48-E3C4-84B3-73AF3A95{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}CFF3EB12DD08-3E1A-9CB4-9BA4-4AE4A530{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2A9370E33861-004B-E194-01B8-0D9E3097{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}81E5E2267676-64B8-7A94-1B5C-6E61EBC3{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9C981E0F21DF-084B-7A54-87AD-A3FCC169{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A524B1217F16-3BBB-C584-9098-C612C397{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B88590051EC6-680A-7734-DAA7-AAC32012{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3A82A54463CF-3059-E454-6D9C-895C33B5{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7869193B9396-64C8-16B4-CC84-5C833E4B{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DBED7740EBC2-F69B-64D4-0F5D-4126774F{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}ABE48BAC38DB-883A-4B64-135E-38C314EF{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E8CDE66E7DBC-9CC9-13F4-06A9-5C401DEF{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}015EDEB4F6E0-2C79-7874-0708-7D8F00EA{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}41DF3F4ADDB9-D13B-6A44-4F3C-5D3F750C{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A3690A194389-D8CB-A6D4-0AED-5A9E0169{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FBDFE9615917-AFFA-E814-45CF-89C9F680{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}95F2638190ED-0D09-18E4-7B10-2A0139C2{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D6765BF5343A-48A8-D714-32CA-9D51FC14{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}183F3D473BB3-18D8-97A4-1EA5-F1D3CD54{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6CEEF1FD9ACE-862A-5E84-D33E-7C04E3E2{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C93B028DF609-670B-1284-C270-DE642856{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}087CE5C6E165-AF9B-98D4-5EC4-D89089AE{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E99BA95899C0-834A-8F34-863B-90C737E5{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}655CC982D827-E01B-9EF4-4E20-3EF291AF{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F2D0EE057D87-89AA-FC54-9F45-82A2E55F{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}46068CE6F14D-773B-F9F4-5875-AA501E63{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9E3AEE2D0D4D-802A-63B4-AAC4-64B7D1FD{" Deleted
    C:\WINDOWS\System32\bpygo.exe Deleted
    C:\WINDOWS\System32\fjkpr.exe Deleted
    C:\WINDOWS\System32\ltprr.exe Deleted
    C:\WINDOWS\System32\mjpwn.exe Deleted
    ....
    »»»»» Misc files.

    One of the items you suggested I should check on the first HiJackThis scan wasn't there:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D100B5B7-1757-4244-96EE-F43B7AC9061E}: NameServer = 85.255.115.60,85.255.112.136

    but there was no other O17 item in its place.

    thanks again
     
  4. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, pauleolithic :)

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    Go to Start->Run, type CMD and click Ok. The MSDOS window will be displayed. At the prompt type the following and press Enter after each line:

    SC Stop wuauservWebClient
    SC Delete wuauservWebClient
    Exit


    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as ComboFix-Do.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    [​IMG]

    Once saved, refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe, and post back the resulting report. How is the computer doing?
     
  5. pauleolithic

    pauleolithic Thread Starter

    Joined:
    Jun 29, 2007
    Messages:
    4
    The computer is running a lot better: no unexplained pop-ups or , no unexplained sounds of webpages being opened, and no obvious slowing down of the processes. Here is the ComboFix report

    ComboFix 07-06-18.2 - C:\Documents and Settings\Polywog\Desktop\ComboFix.exe
    "Polywog" - 2007-06-30 15:43:10 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\Polywog\Desktop\ComboFix-Do.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\kjaskd4a.exe
    C:\WINDOWS\system32\4109987059.dat


    ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


    2007-06-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-06-29 18:54 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-29 18:39 7,228 --a------ C:\dnsbak.reg
    2007-06-29 18:11 <DIR> d-------- C:\Program Files\STOPzilla!
    2007-06-29 18:11 <DIR> d-------- C:\Program Files\Common Files\iS3
    2007-06-29 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
    2007-06-29 18:10 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
    2007-06-29 18:09 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\WholeSecurity
    2007-06-29 15:05 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-06-23 14:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-06-23 14:08 <DIR> d-------- C:\Program Files\DBan
    2007-06-22 17:31 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\DivX
    2007-06-18 19:18 <DIR> d-------- C:\WINDOWS\system32\appmgmt
    2007-06-16 14:09 <DIR> d-------- C:\Program Files\QuickTime
    2007-06-16 11:31 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2007-06-16 11:31 <DIR> d-------- C:\WINDOWS\system32\PreInstall
    2007-06-16 11:30 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-06-16 11:26 43,352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-06-12 21:03 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-06-11 18:54 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Lavasoft
    2007-06-10 20:38 <DIR> d-------- C:\DOCUME~1\Polywog\APPLIC~1\Leadertech
    2007-06-09 22:42 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\Corel
    2007-06-04 21:21 <DIR> d-------- C:\WINDOWS\pss
    2007-05-14 19:59 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\AdobeUM
    2007-05-14 19:59 <DIR> d-------- C:\DOCUME~1\SUPERM~1\APPLIC~1\AdobeAUM


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-23 00:32:49 -------- d-----w C:\Program Files\Picasa2
    2007-06-16 20:45:49 -------- d-----w C:\Program Files\Messenger
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-29 18:46:24 -------- d-----w C:\Program Files\DivX
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-12 04:27:40 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2007-04-12 04:27:40 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2007-04-11 22:49:30 0 --sha-r C:\MSDOS.SYS
    2007-04-11 22:49:30 0 --sha-r C:\IO.SYS
    2007-04-11 22:49:30 0 ----a-w C:\CONFIG.SYS
    2007-04-11 22:49:30 0 ----a-w C:\AUTOEXEC.BAT
    2007-04-11 22:46:27 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nForce Tray Options"="sstray.exe" [2002-11-13 16:34 C:\WINDOWS\system32\sstray.exe]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 14:51]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 22:00]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-21 20:22]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

    *Newly Created Service* - DMADMIN

    Contents of the 'Scheduled Tasks' folder
    2007-06-14 02:48:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-30 15:44:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-30 15:44:31
    C:\ComboFix-quarantined-files.txt ... 2007-06-30 15:44
    C:\ComboFix2.txt ... 2007-06-29 18:56

    --- E O F ---


    thanks again
     
  6. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, pauleolithic. :)

    Congratulations.[​IMG]

    Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

    Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (Windows XP)

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK..

    Create a Restore point:
    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "After Cleanup", then click Create.

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    Click Here for some advise from our security Experts.

    Please use the thread's Tools and mark this thread as "Solved".

    Best wishes! [​IMG]
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/590095

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice