Help for a Non Techy

fredstwin · 12-28-2008, 04:22 PM

Hello, I hope someone can help, the following is a paste of a thread I made over at the McAfee technical help forum, as you will read I was recomended this site and to post here on their advice. The blue is my posts and the red is the replies. Thank you for your patience and time. I apologise if this is a bit unconventional?

Hello, I do hope someone can help. Please bear with me as I’m completely non technical. A few days ago I suddenly found that when using Internet Explorer when I pressed the middle button on the mouse to open a link in another tab it would open something completely different, then when doing a search for anything on Google I found that it’s as if something’s hijacked my explorer (I think that’s the right expression) the results are links that are completely different to those you’d expect and I also don’t seem to get the ads down the right hand side. It also takes longer to do a search now. Obviously I was suspicious at this point so I ran a McAfee Security Centre scan (I do one every week anyway) which said I had some things detected and had quarantined them but couldn’t remove them. Unfortunately this didn’t solve the problem and so after some late night trawling around the web which was scary as I wasn’t sure now the links I was clicking were legitimate or not I ended up downloading some free software from Systeminternals.com. The site (A Yahoo chat forum I think) recommended that I ran it several times when in Safe Mode and after finding out what Safe Mode meant (lol) I ran it and rebooted several times, each time it found things and deleted them or said it had anyway. (I kept running it until it didn’t find anymore) This seemed to solve the middle button problem but I still had the issue when searching on Google etc. I then tried a system restore but that kept saying it wouldn’t work (I guess because I’d deleted stuff from previous dates?) I then read that I ought to turn off system restore which I did but I have a feeling I shouldn’t have? What should I do next? Oh cripes, I’ve a feeling I’ve really made some errors here. I’m clueless when it comes to computers. I’m sorry for rambling on, thank you very much for any replies received and Merry Christmas.

I was replied to with this:
Hello,

Download Malwarebytes ' Anti-Malware from Here or Here Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

I then replied with this:
Hello, it found some things and removed them, following the restart Explorer seems to be working fine again, here are the resluts:

Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

24/12/2008 00:09:05
mbam-log-2008-12-24 (00-09-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 101575
Time elapsed: 46 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72;85.255.112.212 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72;85.255.112.212 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72;85.255.112.212 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARTIN\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Do I need to do anything else now? Many thanks for your patience and help.
ps am off to bed now as its 12.45am over here in the UK so will not be able to reply until tomorrow.

Which was replied to with this:
Due to the nature of some of the infections that were present i would suggest you follow instructions below, this is the only way to be sure that you are no longer infected.

Register at this Forum then follow these Steps, post the required log in that forum,not here.

Which has led me to post a thread on here. Phew! Many thanks again for your patience and any help, it is most appreciated.

tetonbob · 12-29-2008, 06:14 PM

Hello fredstwin -

Is the machine still being redirected? From your post, it seems that all is well, but you're looking for confirmation, and a more detailed analysis.

In that communication with the folks at McAfee forums, you were likely given this link:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Please follow the procedures outlined there, and post the requested logs.

Oh, and yes, it's a bad idea to turn off System Restore before clearing an infection. Infected restore points are still better than no restore points as a fall back position. It seems McAfee and Norton (and others) still don't understand this, and instruct their users to disable System Restore as part of many fixes. We clear out old possibly infected points and set a new clean point after all malware removal efforts are completed.

fredstwin · 12-30-2008, 01:37 PM

Hello tetonbob, thankyou for replying

Quote:

Originally Posted by tetonbob

Hello fredstwin -

Is the machine still being redirected? From your post, it seems that all is well, but you're looking for confirmation,

No, it seems to be working fine and yes I was after confirmation that all is well and/if any other measures I should take, to be fair, in their defence, it wasn't the McAfee forum that suggested I turn off system restore but some bozo on a general Yahoo forum!

Yes I was given that link by them but thought I would post first. Sorry

I'm sorry to be a bit of an idiot but am I right in thinking I should remove the Malwarebytes' Anti-Malware and the SUPERAntiSpyware Free Edition software from my machine before I do the scan with the DDS thing? Can I leave my McAfee Site Advisor alone?

Many thanks in anticipation.

tetonbob · 12-30-2008, 01:45 PM

Hi -

Sorry if I wasn't clear...I wasn't suggesting it was the McAfee forums which said to turn off System Restore, but on the McAfee site (which is not the forum, those are staffed by volunteers, not generally affiliated with the company), and at Norton's site, many of their fixes include disabling System Restore, which we find to be a wrongheaded approach for the reasons given previously. Share the info at Yahoo

No need to uninstall those applications. Just run DDS and GMER, and post or attach the appropriate logs.

fredstwin · 12-30-2008, 06:00 PM

Hello, I hope I've done this right! I've pasted the DDS.txt as you can see and hopefully I've succesfully attached the Attach.zip and the ARK.zip files.

DDS (Version 1.1.0) - NTFSx86
Run by MARTIN at 0:05:30.93 on 31/12/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.39 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\MARTIN\Local Settings\Temporary Internet Files\Content.IE5\BTNYRDBY\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=1061118
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/products/startup_code.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-1 201320]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-1 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-1 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-1 40488]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-1 33832]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2008-1-14 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2008-1-14 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2008-1-14 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2008-1-14 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2008-1-14 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2008-1-14 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2008-1-14 90800]

=============== Created Last 30 ================

2008-12-23 23:14 <DIR> --d----- c:\docume~1\martin\applic~1\Malwarebytes
2008-12-23 23:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-23 23:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 23:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-23 23:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 17:28 <DIR> --d----- c:\windows\McAfee.com
2008-12-21 00:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-21 00:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-21 00:34 <DIR> --d----- c:\docume~1\martin\applic~1\SUPERAntiSpyware.com
2008-12-21 00:33 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-10 08:11 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-30 20:29 13,614 a------- c:\docume~1\martin\applic~1\wklnhst.dat
2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 11:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2007-05-02 22:25 14,993,976 a------- c:\program files\Google_Earth_BZXD.exe
2008-05-13 22:20 168 ---shr-- c:\windows\system32\EA73D803EF.sys
2008-05-13 22:20 5,330 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-20 01:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 0:07:53.03 ===============

tetonbob · 12-30-2008, 06:29 PM

Good job, that's just right.

Logs look good, a few outdated applications which should be uninstalled.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 11 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

It would be prudent to follow up with an online scan. This will take a while.

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

fredstwin · 12-30-2008, 07:03 PM

Wow, thank you, I'll post back tomorrow with the next scan results as I'm off to bed as its 2AM over in the UK. Your help is most appreciated.

fredstwin · 12-31-2008, 09:19 AM

Hello, here's the log from KASPERSKY.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 31, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 31, 2008 10:23:45
Records in database: 1537584
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 64231
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:30:45

File name / Threat name / Threats count
E:\resycled\boot.com Infected: Rootkit.Win32.TDSS.gen 1

The selected area was scanned.

Many Thanks and a Happy New Year!

tetonbob · 12-31-2008, 09:38 AM

Hi -

Thanks, and a Happy New Year to you as well.

What is your E drive, please?

fredstwin · 12-31-2008, 10:02 AM

Hello tetonbob, the E: drive is a removable USD stick. I've checked what was on there and there's nothing (have checked the hidden files option) should I just chuck it out to be safe? Its only worth about £2. I just use it for storing a few temporary files on.

tetonbob · 12-31-2008, 10:21 AM

Hi fredstwin -

In light of what had been found on the machine, and what Kaspersky found on the E drive, I think it would be prudent to run this next tool.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Ensure your E Drive is inserted.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
E:\resycled

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

fredstwin · 12-31-2008, 11:51 AM

Hello again, here is the log ComboFix created.

ComboFix 08-12-30.02 - MARTIN 2008-12-31 18:24:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.59 [GMT 0:00]
Running from: c:\documents and settings\MARTIN\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ntnet.drv
E:\resycled
e:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-31 00:31 . 2008-12-31 00:31 250 --a------ c:\windows\gmer.ini
2008-12-23 23:14 . 2008-12-23 23:14 <DIR> d-------- c:\documents and settings\MARTIN\Application Data\Malwarebytes
2008-12-23 23:14 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 23:14 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 23:13 . 2008-12-23 23:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 23:13 . 2008-12-23 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-21 17:28 . 2008-12-21 17:28 <DIR> d-------- c:\windows\McAfee.com
2008-12-21 00:34 . 2008-12-21 00:34 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-21 00:34 . 2008-12-21 00:34 <DIR> d-------- c:\documents and settings\MARTIN\Application Data\SUPERAntiSpyware.com
2008-12-21 00:34 . 2008-12-21 00:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-21 00:33 . 2008-12-21 00:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-10 08:11 . 2008-12-10 08:10 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-22 16:09 . 2008-12-24 00:45 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-21 23:23 . 2008-11-21 23:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-11 18:47 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:46 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 16:11 . 2008-09-08 10:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-11-01 16:07 . 2008-08-14 10:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-01 16:07 . 2008-08-14 10:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-01 16:07 . 2008-08-14 09:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-01 16:07 . 2008-08-14 09:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-01 16:07 . 2008-09-15 12:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-11-01 16:07 . 2008-10-15 16:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 13:52 --------- d-----w c:\program files\Java
2008-12-31 12:40 --------- d-----w c:\program files\LIVEUPDATE
2008-12-31 00:19 13,614 ----a-w c:\documents and settings\MARTIN\Application Data\wklnhst.dat
2008-12-23 14:58 --------- d-----w c:\program files\McAfee
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-05-02 22:25 14,993,976 ----a-w c:\program files\Google_Earth_BZXD.exe
2008-05-13 22:20 168 --sh--r c:\windows\system32\EA73D803EF.sys
2008-05-13 22:20 5,330 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-20 01:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-18 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 495616]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-10 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-18 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-28 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= sysaudio.sys

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-11-21 206096]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\DRIVERS\sea1bus.sys [2008-01-14 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\DRIVERS\sea1mdfl.sys [2008-01-14 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\DRIVERS\sea1mdm.sys [2008-01-14 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\sea1mgmt.sys [2008-01-14 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\DRIVERS\sea1nd5.sys [2008-01-14 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\sea1obex.sys [2008-01-14 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\DRIVERS\sea1unic.sys [2008-01-14 90800]
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/products/startup_code.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 18:35:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrators
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2496)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-12-31 18:44:26 - machine was rebooted [MARTIN]
ComboFix-quarantined-files.txt 2008-12-31 18:44:10

Pre-Run: 23,964,684,288 bytes free
Post-Run: 24,123,400,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

218 --- E O F --- 2008-12-18 00:39:24

tetonbob · 12-31-2008, 01:58 PM

Good job!

If there are no other issues, we should be done here.

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

fredstwin · 01-01-2009, 12:33 PM

Brilliant, thank you so much for your help and advice, I'll follow your latest advice. Now, back to nursing my hangover!

tetonbob · 01-01-2009, 01:41 PM

Cheers! Hair of the dog, just not too much.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

12-28-2008, 04:22 PM	#1 (permalink)
fredstwin Registered User Join Date: Dec 2008 Posts: 8 OS: xp home	Help for a Non Techy Hello, I hope someone can help, the following is a paste of a thread I made over at the McAfee technical help forum, as you will read I was recomended this site and to post here on their advice. The blue is my posts and the red is the replies. Thank you for your patience and time. I apologise if this is a bit unconventional? Hello, I do hope someone can help. Please bear with me as I’m completely non technical. A few days ago I suddenly found that when using Internet Explorer when I pressed the middle button on the mouse to open a link in another tab it would open something completely different, then when doing a search for anything on Google I found that it’s as if something’s hijacked my explorer (I think that’s the right expression) the results are links that are completely different to those you’d expect and I also don’t seem to get the ads down the right hand side. It also takes longer to do a search now. Obviously I was suspicious at this point so I ran a McAfee Security Centre scan (I do one every week anyway) which said I had some things detected and had quarantined them but couldn’t remove them. Unfortunately this didn’t solve the problem and so after some late night trawling around the web which was scary as I wasn’t sure now the links I was clicking were legitimate or not I ended up downloading some free software from Systeminternals.com. The site (A Yahoo chat forum I think) recommended that I ran it several times when in Safe Mode and after finding out what Safe Mode meant (lol) I ran it and rebooted several times, each time it found things and deleted them or said it had anyway. (I kept running it until it didn’t find anymore) This seemed to solve the middle button problem but I still had the issue when searching on Google etc. I then tried a system restore but that kept saying it wouldn’t work (I guess because I’d deleted stuff from previous dates?) I then read that I ought to turn off system restore which I did but I have a feeling I shouldn’t have? What should I do next? Oh cripes, I’ve a feeling I’ve really made some errors here. I’m clueless when it comes to computers. I’m sorry for rambling on, thank you very much for any replies received and Merry Christmas. I was replied to with this: Hello, Download Malwarebytes ' Anti-Malware from Here or Here Double-click on mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform Full Scan, then click Scan. * The scan may take some time to finish, so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below). * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy & paste the entire report into your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. I then replied with this: Hello, it found some things and removed them, following the restart Explorer seems to be working fine again, here are the resluts: Malwarebytes' Anti-Malware 1.31 Database version: 1538 Windows 5.1.2600 Service Pack 3 24/12/2008 00:09:05 mbam-log-2008-12-24 (00-09-05).txt Scan type: Full Scan (C:\\|) Objects scanned: 101575 Time elapsed: 46 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 2 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72;85.255.112.212 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72;85.255.112.212 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72;85.255.112.212 -> Quarantined and deleted successfully. Folders Infected: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\Documents and Settings\MARTIN\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Do I need to do anything else now? Many thanks for your patience and help. ps am off to bed now as its 12.45am over here in the UK so will not be able to reply until tomorrow. Which was replied to with this: Due to the nature of some of the infections that were present i would suggest you follow instructions below, this is the only way to be sure that you are no longer infected. Register at this Forum then follow these Steps, post the required log in that forum,not here. Which has led me to post a thread on here. Phew! Many thanks again for your patience and any help, it is most appreciated.

12-29-2008, 06:14 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Hello fredstwin - Is the machine still being redirected? From your post, it seems that all is well, but you're looking for confirmation, and a more detailed analysis. In that communication with the folks at McAfee forums, you were likely given this link: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help Please follow the procedures outlined there, and post the requested logs. Oh, and yes, it's a bad idea to turn off System Restore before clearing an infection. Infected restore points are still better than no restore points as a fall back position. It seems McAfee and Norton (and others) still don't understand this, and instruct their users to disable System Restore as part of many fixes. We clear out old possibly infected points and set a new clean point after all malware removal efforts are completed. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-30-2008, 01:45 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Hi - Sorry if I wasn't clear...I wasn't suggesting it was the McAfee forums which said to turn off System Restore, but on the McAfee site (which is not the forum, those are staffed by volunteers, not generally affiliated with the company), and at Norton's site, many of their fixes include disabling System Restore, which we find to be a wrongheaded approach for the reasons given previously. Share the info at Yahoo No need to uninstall those applications. Just run DDS and GMER, and post or attach the appropriate logs. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-30-2008, 06:29 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Good job, that's just right. Logs look good, a few outdated applications which should be uninstalled. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 6 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this. Leave Java(TM) 6 Update 11 alone, as it is the most recent. --------------------------------------------------------------------------------------------- It would be prudent to follow up with an online scan. This will take a while. Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on Settings. Uncheck Mail databases. Next, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-30-2008, 07:03 PM	#7 (permalink)
fredstwin Registered User Join Date: Dec 2008 Posts: 8 OS: xp home	Re: Help for a Non Techy Wow, thank you, I'll post back tomorrow with the next scan results as I'm off to bed as its 2AM over in the UK. Your help is most appreciated.

12-31-2008, 09:19 AM	#8 (permalink)
fredstwin Registered User Join Date: Dec 2008 Posts: 8 OS: xp home	Re: Help for a Non Techy Hello, here's the log from KASPERSKY. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Wednesday, December 31, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, December 31, 2008 10:23:45 Records in database: 1537584 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 64231 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 01:30:45 File name / Threat name / Threats count E:\resycled\boot.com Infected: Rootkit.Win32.TDSS.gen 1 The selected area was scanned. Many Thanks and a Happy New Year!

12-31-2008, 09:38 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Hi - Thanks, and a Happy New Year to you as well. What is your E drive, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-31-2008, 10:02 AM	#10 (permalink)
fredstwin Registered User Join Date: Dec 2008 Posts: 8 OS: xp home	Re: Help for a Non Techy Hello tetonbob, the E: drive is a removable USD stick. I've checked what was on there and there's nothing (have checked the hidden files option) should I just chuck it out to be safe? Its only worth about £2. I just use it for storing a few temporary files on. Last edited by fredstwin; 12-31-2008 at 10:08 AM.

12-31-2008, 10:21 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Hi fredstwin - In light of what had been found on the machine, and what Kaspersky found on the E drive, I think it would be prudent to run this next tool. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download ComboFix from one of these locations: Link 1 Link 2 Link 3 Ensure your E Drive is inserted. Open notepad and copy/paste the text in the quotebox below into it: Code: Folder:: E:\resycled Save this as CFScript.txt Referring to the picture above, drag CFScript.txt into ComboFix.exe As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-31-2008, 11:51 AM	#12 (permalink)
fredstwin Registered User Join Date: Dec 2008 Posts: 8 OS: xp home	Re: Help for a Non Techy Hello again, here is the log ComboFix created. ComboFix 08-12-30.02 - MARTIN 2008-12-31 18:24:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.59 [GMT 0:00] Running from: c:\documents and settings\MARTIN\Desktop\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ntnet.drv E:\resycled e:\resycled\boot.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PACKET ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 ))))))))))))))))))))))))))))))) . 2008-12-31 00:31 . 2008-12-31 00:31 250 --a------ c:\windows\gmer.ini 2008-12-23 23:14 . 2008-12-23 23:14 <DIR> d-------- c:\documents and settings\MARTIN\Application Data\Malwarebytes 2008-12-23 23:14 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-23 23:14 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-23 23:13 . 2008-12-23 23:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-23 23:13 . 2008-12-23 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-21 17:28 . 2008-12-21 17:28 <DIR> d-------- c:\windows\McAfee.com 2008-12-21 00:34 . 2008-12-21 00:34 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-21 00:34 . 2008-12-21 00:34 <DIR> d-------- c:\documents and settings\MARTIN\Application Data\SUPERAntiSpyware.com 2008-12-21 00:34 . 2008-12-21 00:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-21 00:33 . 2008-12-21 00:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-10 08:11 . 2008-12-10 08:10 410,984 --a------ c:\windows\system32\deploytk.dll 2008-11-22 16:09 . 2008-12-24 00:45 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore 2008-11-21 23:23 . 2008-11-21 23:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor 2008-11-11 18:47 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-11 18:46 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-01 16:11 . 2008-09-08 10:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-11-01 16:07 . 2008-08-14 10:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-01 16:07 . 2008-08-14 10:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-01 16:07 . 2008-08-14 09:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-01 16:07 . 2008-08-14 09:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-01 16:07 . 2008-09-15 12:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-11-01 16:07 . 2008-10-15 16:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-31 13:52 --------- d-----w c:\program files\Java 2008-12-31 12:40 --------- d-----w c:\program files\LIVEUPDATE 2008-12-31 00:19 13,614 ----a-w c:\documents and settings\MARTIN\Application Data\wklnhst.dat 2008-12-23 14:58 --------- d-----w c:\program files\McAfee 2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll 2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe 2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe 2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll 2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2007-05-02 22:25 14,993,976 ----a-w c:\program files\Google_Earth_BZXD.exe 2008-05-13 22:20 168 --sh--r c:\windows\system32\EA73D803EF.sys 2008-05-13 22:20 5,330 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-09-20 01:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-18 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 495616] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-10 136600] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-18 24576] ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-28 303104] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= sysaudio.sys [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-11-21 206096] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\DRIVERS\sea1bus.sys [2008-01-14 61536] S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\DRIVERS\sea1mdfl.sys [2008-01-14 9360] S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\DRIVERS\sea1mdm.sys [2008-01-14 97088] S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\sea1mgmt.sys [2008-01-14 88624] S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\DRIVERS\sea1nd5.sys [2008-01-14 18704] S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\sea1obex.sys [2008-01-14 86432] S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\DRIVERS\sea1unic.sys [2008-01-14 90800] . Contents of the 'Scheduled Tasks' folder 2008-08-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-12-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/products/startup_code.html uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-31 18:35:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState] @Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL) @Owner=Administrators @Denied: (Full) (Guests) @Allowed: (Full) (LocalSystem) @Allowed: (Full) (Administrators) @Allowed: (B 1 2 3 4 5) (S-1-5-4) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(788) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(2496) c:\program files\McAfee\SiteAdvisor\saHook.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\bgsvcgen.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\McAfee\MSK\msksrver.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\progra~1\McAfee\MSC\mcuimgr.exe c:\windows\system32\igfxsrvc.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe . ************************************************************************ . Completion time: 2008-12-31 18:44:26 - machine was rebooted [MARTIN] ComboFix-quarantined-files.txt 2008-12-31 18:44:10 Pre-Run: 23,964,684,288 bytes free Post-Run: 24,123,400,192 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 218 --- E O F --- 2008-12-18 00:39:24

12-31-2008, 01:58 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Good job! If there are no other issues, we should be done here. Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-01-2009, 12:33 PM	#14 (permalink)
fredstwin Registered User Join Date: Dec 2008 Posts: 8 OS: xp home	Re: Help for a Non Techy Brilliant, thank you so much for your help and advice, I'll follow your latest advice. Now, back to nursing my hangover!

01-01-2009, 01:41 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Help for a Non Techy Cheers! Hair of the dog, just not too much. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009