Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Spyware Infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-06-2007, 09:41 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Spyware Infection
Hi,

After my computer's been increasingly slow and crashing lately, I've followed the 5 recommended steps, and have lots of Spyware on my computer. I can't really tell you much about the infection since I don't know what I'm looking for, but the logs (DSS, Panda ActiveScan) are here. Hopefully this is enough information. How do I remove the spyware?

Also, I use Mozilla Forefox, and didn't install IE-Spyad because I assume it's for Internet Explorer, is there an equivilent for Mozilla?

Okay, Logs:


Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-07 14:05:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x0000013D


-- Last 5 Restore Point(s) --
63: 2007-10-06 03:50:04 UTC - RP289 - Restore Operation
62: 2007-10-06 03:36:51 UTC - RP288 - Restore Operation
61: 2007-10-06 03:35:04 UTC - RP287 - Restore Operation
60: 2007-10-06 03:33:14 UTC - RP286 - Restore Operation
59: 2007-10-06 03:31:11 UTC - RP285 - Restore Operation


-- First Restore Point --
1: 2007-07-14 00:28:41 UTC - RP227 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:07:34 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...google.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178068070625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 si3112r (Silicon Image SiI 3112 SATARaid Controller) - c:\windows\system32\drivers\si3112r.sys <Not Verified; Silicon Image, Inc; SATARaid>
R0 SiFilter (SATALink driver accelerator) - c:\windows\system32\drivers\siwinacc.sys <Not Verified; Silicon Image, Inc.; SATALink Windows Accelerator>
R0 SiWinAcc - c:\windows\system32\drivers\siwinacc.sys <Not Verified; Silicon Image, Inc.; SATALink Windows Accelerator>
R1 smtpdrv - c:\windows\system32\drivers\smtpdrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S3 UPnPService - c:\program files\common files\magix shared\upnpservice\upnpservice.exe <Not Verified; Magix AG; UPnPService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-07 12:39:39 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-09-07 and 2007-10-07 -----------------------------

2007-10-07 13:54:40 0 d-------- C:\Program Files\SpywareBlaster
2007-10-07 12:40:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-07 12:40:10 0 d-------- C:\WINDOWS\LastGood
2007-10-06 12:03:51 0 d-------- C:\WINDOWS\CSC
2007-10-02 20:52:16 0 d-------- C:\Program Files\Windows Defender
2007-10-01 12:58:38 0 d-------- C:\Documents and Settings\Administrator\.GalleryRemote
2007-09-13 22:58:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent


-- Find3M Report ---------------------------------------------------------------

2007-10-07 13:56:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2007-10-07 13:24:28 0 d-------- C:\Program Files\QuickTime
2007-10-07 13:19:19 0 d-------- C:\Program Files\Google
2007-10-06 13:49:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-10-03 20:01:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\foobar2000
2007-10-03 11:37:48 0 d-------- C:\Program Files\MagicDVDRipper
2007-10-03 11:37:09 0 d-------- C:\Program Files\Bookup
2007-10-01 18:08:42 0 d-------- C:\Program Files\Lotus
2007-10-01 18:08:42 0 d-------- C:\Program Files\Logitech
2007-10-01 18:08:42 0 d-------- C:\Program Files\Java
2007-10-01 18:08:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-01 18:08:42 0 d-------- C:\Program Files\foobar2000
2007-10-01 18:08:42 0 d-------- C:\Program Files\DivX
2007-10-01 18:08:42 0 d-------- C:\Program Files\Desktop Messenger
2007-10-01 18:08:42 0 d-------- C:\Program Files\CyberLink
2007-10-01 18:08:42 0 d-------- C:\Program Files\Connected Software
2007-10-01 18:08:42 0 d-------- C:\Program Files\Common Files
2007-10-01 18:08:42 16 --ah----- C:\Program Files\Common Files\mxfilerelatedcache.mxc2 <MXFILE~1.MXC>
2007-10-01 18:08:42 0 d-------- C:\Program Files\Canon
2007-10-01 18:08:42 0 d-------- C:\Program Files\ATI Technologies
2007-10-01 18:08:39 0 d--h----- C:\Program Files\WindowsUpdate
2007-10-01 18:08:39 0 d-------- C:\Program Files\Windows NT
2007-10-01 18:08:39 0 d-------- C:\Program Files\VideoLAN
2007-10-01 18:08:39 0 d-------- C:\Program Files\uTorrent
2007-10-01 18:08:39 0 d-------- C:\Program Files\Skype
2007-10-01 18:08:39 0 d-------- C:\Program Files\SimpleCenter
2007-10-01 18:08:39 0 d-------- C:\Program Files\Silicon Image
2007-10-01 18:08:39 0 d-------- C:\Program Files\Real
2007-10-01 18:08:39 0 d-------- C:\Program Files\Online Services
2007-10-01 18:08:39 0 d-------- C:\Program Files\NCH Swift Sound
2007-10-01 18:08:39 0 d-------- C:\Program Files\MusicMatch
2007-10-01 18:08:39 0 d-------- C:\Program Files\MSXML 4.0
2007-10-01 18:08:39 0 d-------- C:\Program Files\MSN Gaming Zone
2007-10-01 18:08:39 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-10-01 18:08:39 0 d-------- C:\Program Files\Movie Maker
2007-10-01 18:08:39 0 d-------- C:\Program Files\microsoft frontpage
2007-10-01 18:08:39 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-01 18:08:39 0 d-------- C:\Program Files\Messenger
2007-09-12 15:39:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2007-09-09 20:55:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-09-01 21:44:42 0 d-------- C:\Program Files\Common Files\MainConcept
2007-09-01 21:43:23 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-09-01 20:34:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-07-08 21:24:53 16 --ah----- C:\Documents and Settings\Administrator\Application Data\mxfilerelatedcache.mxc2 <MXFILE~1.MXC>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [12/09/2003 09:10 PM]
"nForce Tray Options"="sstray.exe" [17/06/2003 07:18 PM C:\WINDOWS\system32\sstray.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [16/02/2007 10:54 AM]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [16/12/2004 07:55 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [20/12/2001 01:59 AM]
"LDM"="C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [22/09/2007 05:45 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00 AM]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 09:06 AM C:\WINDOWS\AGRSMMSG.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [07/11/2001 11:36 AM]
"sclauncher"="C:\Program Files\SimpleCenter\bin\win\sclauncher.exe" [30/01/2007 09:30 AM]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [20/12/2001 09:42 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [11/05/2007 01:20 PM]
"LDM"="C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [22/09/2007 05:45 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/04/2007 08:24 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe [22/09/2007 5:45:42 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]
SATARaid.lnk - C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe [26/03/2007 4:36:11 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-10-07 14:08:03 ------------








And here is the Panda ActiveScan:



Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.overture.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.ad.sensismediasmart.com.au/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.pacificpoker.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.tickle.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.com.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.xiti.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cookies.txt[.paycounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
Virus:Generic Trojan Disinfected C:\WINDOWS\system32\drivers\ip6fw.sys
Virus:Trj/Spammer.ADX Disinfected C:\WINDOWS\system32\drivers\smtpdrv.sys



Finally, I managed to catch my comp. at a good time, and I may not be able to get this much information again. I can try to get whatever else is needed though.

Any help is much appreciatied. Thankyou.
Attached Files
File Type: txt extra.txt (13.8 KB, 1 views)
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 10-09-2007, 06:42 AM   #2 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
el bumpo
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-12-2007, 03:48 AM   #3 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Any help?
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 02:07 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Before anyone will even consider working this log, please tell us if you have a working antivirus program installed on this machine?

If the answer is yes, tell me it's name & the last time you did a full system scan.

If the answer is no, then tell me if you have considered wiping the machine.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 02:20 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Thanks for your reply sUBs.

After AVG removed it's free antivirus program the computer didn't have one for months (stupid...). I installed Windows Defender recently and did a full scan. It did some stuff but made little difference to computer performance.

I have thought about reimaging (is that what you mean), and would do it as a last resort.

hopefully this helps.
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 02:30 AM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Sorry about that. I mistakenly posted in your thread. It was meant for another user.

As for your log, there doesn't seem to be much showing. I do not consider spyware cookies are a threat. You get those everytime you surf the web.

Nevertheless, let's do some checks.

1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 05:30 AM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Ok, I've done the scans. Managed to get the computer at a time when it's actually working properly! Here are the logs:

ComboFix 07-10-14.1 - Administrator 2007-10-14 21:26:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.225 [GMT 10:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-14 21:24 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-14 21:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 13:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-07 12:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-02 20:52 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-01 12:58 <DIR> d-------- C:\Documents and Settings\Administrator\.GalleryRemote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-14 11:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-10-07 08:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-10-07 03:24 --------- d-----w C:\Program Files\QuickTime
2007-10-07 03:19 --------- d-----w C:\Program Files\Google
2007-10-03 10:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\foobar2000
2007-10-03 01:37 --------- d-----w C:\Program Files\MagicDVDRipper
2007-10-03 01:37 --------- d-----w C:\Program Files\Bookup
2007-10-01 08:08 16 ---ha-w C:\Program Files\Common Files\mxfilerelatedcache.mxc2
2007-10-01 08:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-01 08:08 --------- d-----w C:\Program Files\VideoLAN
2007-10-01 08:08 --------- d-----w C:\Program Files\uTorrent
2007-10-01 08:08 --------- d-----w C:\Program Files\Skype
2007-10-01 08:08 --------- d-----w C:\Program Files\SimpleCenter
2007-10-01 08:08 --------- d-----w C:\Program Files\Silicon Image
2007-10-01 08:08 --------- d-----w C:\Program Files\Real
2007-10-01 08:08 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-01 08:08 --------- d-----w C:\Program Files\MusicMatch
2007-10-01 08:08 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-01 08:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-01 08:08 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-01 08:08 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-01 08:08 --------- d-----w C:\Program Files\Lotus
2007-10-01 08:08 --------- d-----w C:\Program Files\Logitech
2007-10-01 08:08 --------- d-----w C:\Program Files\Java
2007-10-01 08:08 --------- d-----w C:\Program Files\foobar2000
2007-10-01 08:08 --------- d-----w C:\Program Files\DivX
2007-10-01 08:08 --------- d-----w C:\Program Files\Desktop Messenger
2007-10-01 08:08 --------- d-----w C:\Program Files\CyberLink
2007-10-01 08:08 --------- d-----w C:\Program Files\Connected Software
2007-10-01 08:08 --------- d-----w C:\Program Files\Canon
2007-10-01 08:08 --------- d-----w C:\Program Files\ATI Technologies
2007-09-12 05:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2007-09-01 11:44 --------- d-----w C:\Program Files\Common Files\MainConcept
2007-09-01 11:43 --------- d-----w C:\Program Files\Common Files\i4j_jres
2007-09-01 10:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 09:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-02 07:44 32,832 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-06-20 06:50 16 ---ha-w C:\Program Files\mxfilerelatedcache.mxc2
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_21.18.30.98 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10]
"nForce Tray Options"="sstray.exe" [2003-06-17 19:18 C:\WINDOWS\system32\sstray.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2004-12-16 19:55]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2001-12-20 01:59]
"LDM"="C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe" [2007-09-22 17:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2001-11-07 11:36]
"sclauncher"="C:\Program Files\SimpleCenter\bin\win\sclauncher.exe" [2007-01-30 09:30]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 09:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-11 13:20]
"LDM"="C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-09-22 17:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 20:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe [2007-09-22 17:45:42]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
SATARaid.lnk - C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe [2007-03-26 16:36:11]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys
R2 ACEDRV09;ACEDRV09;\??\C:\WINDOWS\system32\drivers\ACEDRV09.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - D:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2007-10-14 11:20:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 21:27:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-14 21:28:15
C:\ComboFix2.txt ... 2007-10-14 21:18
.
--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 9:30:17 PM, on 14/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...google.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/udmooflt.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178068070625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe



hopefully this helps. Thanks for your response.
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 06:07 AM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Still looks clean. Let's see if an online scan turns up anything

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 05:25 PM   #9 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Have done the scans. The computer's working fine at the moment, although I don't want to shut it down in case it stalls next time I boot. Anyway, hopefully this helps. Cheers.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 15, 2007 10:21:27 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/10/2007
Kaspersky Anti-Virus database records: 435770
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 59304
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:35:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\call256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chat256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chat512.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chat8192.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\chatsync\da\da867a32705ffdc5.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\index2.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\user1024.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\user16384.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\user256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\user4096.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Skype\slaney.family\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\udmooflt.default\XPC.mfl Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007101520071016\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\errlgr.txt Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir Infected: Rootkit.Win32.Agent.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sy_.vir Infected: Rootkit.Win32.Agent.jp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A799D1CA-D698-4144-84DB-7A63328D3108}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-14-2007, 10:22 PM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Quote:
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir ------> Trojan-Downloader.Win32.Agent.acl
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir ------> Rootkit.Win32.Agent.jp
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sy_.vir ------> Rootkit.Win32.Agent.jp
These files which Kaspersky found. When was the first time you ran ComboFix?

Please post this log --> C:\Qoobox\ComboFix-quarantined-files.txt
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 12:59 AM   #11 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Thanks for your response, the first time I ran combo fix was the post before last. Here's the requested log.
Best wishes, popdog.



Code:
2004-08-04 16:00      29056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir
2007-07-08 21:24      16    --a------    C:\Qoobox\Quarantine\C\RECYCLER\mxfilerelatedcache.mxc2.vir
2007-09-26 21:15      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\0_exception.nls.vir
2007-10-11 11:41      35328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir
2007-10-14 21:03      35328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sy_.vir
2007-10-14 21:16      1322    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.dat
2007-10-14 21:16      1322    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_SMTPDRV.reg.dat
2007-10-14 21:16      1390    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME2.reg.dat
2007-10-14 21:16      750    --a------    C:\Qoobox\Quarantine\Registry_backups\services_runtime.reg.dat
2007-10-14 21:16      828    --a------    C:\Qoobox\Quarantine\Registry_backups\services_smtpdrv.reg.dat


Folder PATH listing
Volume serial number is 3CC1-651D
C:\QOOBOX\QUARANTINE
+---C
|   +---RECYCLER
|   |       mxfilerelatedcache.mxc2.vir
|   |       
|   \---WINDOWS
|       \---system32
|           |   0_exception.nls.vir
|           |   
|           \---drivers
|                   ip6fw.sys.vir
|                   runtime2.sys.vir
|                   runtime2.sy_.vir
|                   
\---Registry_backups
        LEGACY_RUNTIME.reg.dat
        LEGACY_RUNTIME2.reg.dat
        LEGACY_SMTPDRV.reg.dat
        services_runtime.reg.dat
        services_smtpdrv.reg.dat
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 01:01 AM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Does your machine still have any other issues?
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 01:49 AM   #13 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Seems to be operating OK at the moment, although I'm wary. I get this error message every time the computer boots:

RUNNER ERROR
Could not load the target dll ("C:\Program Files\Desktop Messenger\8876480\6.1.0.155-887640L\Program\backWeb.dll", error code 126)

Aside from this it's been running incredibly slowly and shutting down randomly with the blue screen o' death. I haven't had any of these problems in the last few days. I think I got a Microsoft warning saying that there was a hardware problem. Also, even when the computer didn't run in Normal Mode, it ran perfectly in Safe Mode. All this makes me think it's not a problem with spyware? I'm not sure.
Last edited by popdog; 10-15-2007 at 01:50 AM.
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-15-2007, 09:02 AM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Quote:
RUNNER ERROR
Could not load the target dll ("C:\Program Files\Desktop Messenger\8876480\6.1.0.155-887640L\Program\backWeb.dll", error code 126)
Have Hijackthis fix this entry. It will stop those errors.

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

Logitech's Desktop Messenger is not something that you need nor want to start automatically with Windows.

Quote:
running incredibly slowly and shutting down randomly with the blue screen o' death.
Those issues should have stopped after ComboFix's first run. Rootkits like runtime.sys will create symptoms like that.

Are you still getting bluescreens?
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-17-2007, 03:53 AM   #15 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Sorry about the delay, as far I know every thing's running smoothly. No blue screens to speak of. So I guess that's about it - thanks for your help, take care.

Cheers, popdog.

PS. Should Windows Defender, the default XP Firewall and Spyware Blaster be sufficient protection?
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-17-2007, 06:42 AM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: Spyware Infection
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u

  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  3. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html


  4. Microsoft Windows Update ? http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  5. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html


  6. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-18-2007, 12:32 AM   #17 (permalink)
Registered User
 
Join Date: Oct 2007
Location: Australia
Posts: 27
OS: Windows XP Pro 2002, Service Pack 2


Re: Spyware Infection
Okay, done and done. Thanks heaps for that protection information, I'll get onto that. And many thanks again man, cheers.
popdog is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:07 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84