Jump to content


Photo

McAfee Disabled at Startup(Resolved)


  • This topic is locked This topic is locked
11 replies to this topic

#1 lechau

lechau

    New Member

  • Members
  • 9 posts

Posted 08 July 2009 - 09:28 PM

Thanks for helping me with this, Juliet, I really appreciate it. DDS (Ver_09-06-26.01) - NTFSx86 Run by Owner at 22:17:13.54 on Wed 07/08/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1329 [GMT -4:00] AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} ============== Running Processes =============== E:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe E:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Bonjour\mDNSResponder.exe E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe E:\Program Files\McAfee\Common Framework\FrameworkService.exe E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe E:\WINDOWS\system32\mfevtps.exe E:\WINDOWS\System32\svchost.exe -k imgsvc E:\WINDOWS\system32\Wacom_Tablet.exe E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe E:\Program Files\Viewpoint\Common\ViewpointService.exe E:\WINDOWS\system32\SearchIndexer.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe E:\WINDOWS\system32\Wacom_Tablet.exe E:\Program Files\McAfee\Common Framework\udaterui.exe E:\Program Files\McAfee\Common Framework\McTray.exe E:\WINDOWS\system32\igfxpers.exe E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe E:\Program Files\Google\Gmail Notifier\gnotify.exe E:\Program Files\Audio Deck\EnMixCPL.exe E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE E:\WINDOWS\system32\ctfmon.exe E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe E:\Program Files\Windows Desktop Search\WindowsSearch.exe E:\WINDOWS\system32\wscntfy.exe E:\WINDOWS\System32\svchost.exe -k HTTPFilter E:\Program Files\Mozilla Firefox\firefox.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\WINDOWS\system32\SearchProtocolHost.exe E:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - e:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - e:\program files\mcafee\virusscan enterprise\scriptsn.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - e:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe uRun: [TomTomHOME.exe] "e:\program files\tomtom home 2\TomTomHOMERunner.exe" mRun: [McAfeeUpdaterUI] "e:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey mRun: [igfxtray] e:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] e:\windows\system32\hkcmd.exe mRun: [igfxpers] e:\windows\system32\igfxpers.exe mRun: [Ad-Watch] e:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] e:\program files\google\gmail notifier\gnotify.exe mRun: [EnvyHFCPL] e:\program files\audio deck\EnMixCPL.exe 1 mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [ShStatEXE] "e:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRunOnce: [Malwarebytes' Anti-Malware] e:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - e:\program files\windows desktop search\WindowsSearch.exe IE: &D&ownload &with BitComet - e:\program files\bitcomet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - e:\program files\bitcomet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - e:\program files\bitcomet\BitComet.exe/AddAllLink.htm IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://e:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 TCP: NameServer = 85.255.112.62,85.255.112.231 TCP: {62F75B13-C052-4234-8E99-E44D54B68018} = 85.255.112.62,85.255.112.231 TCP: {F532C29E-0658-4877-8F96-160B98F17ABE} = 85.255.112.62,85.255.112.231 Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - e:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - e:\docume~1\owner\applic~1\mozilla\firefox\profiles\79qo1owr.default\ FF - prefs.js: browser.startup.homepage - www.deviantart.com FF - component: e:\program files\mozilla firefox\components\Scriptff.dll FF - plugin: e:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: e:\program files\viewpoint\viewpoint media player\npViewpoint.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;e:\windows\system32\drivers\Lbd.sys [2009-2-14 64160] R0 mfehidk;McAfee Inc. mfehidk;e:\windows\system32\drivers\mfehidk.sys [2009-6-29 340592] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632] R2 McAfeeEngineService;McAfee Engine Service;e:\program files\mcafee\virusscan enterprise\engineserver.exe [2008-9-29 19456] R2 McAfeeFramework;McAfee Framework Service;e:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744] R2 McTaskManager;McAfee Task Manager;e:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-9-29 62800] R2 mfevtp;McAfee Validation Trust Protection Service;e:\windows\system32\mfevtps.exe [2009-6-29 67904] R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [2009-2-15 2749224] R2 TomTomHOMEService;TomTomHOMEService;e:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008] R2 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\viewpoint\common\ViewpointService.exe [2009-2-14 24652] R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);e:\windows\system32\drivers\A3AB.sys [2007-5-23 547744] R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;e:\windows\system32\drivers\Envy24HF.sys [2009-4-11 577664] R3 wacmoumonitor;Wacom Mode Helper;e:\windows\system32\drivers\wacmoumonitor.sys [2009-2-15 15656] S2 McShield;McAfee McShield;e:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-9-29 143088] S3 mfeavfk;McAfee Inc. mfeavfk;e:\windows\system32\drivers\mfeavfk.sys [2009-6-29 90360] S3 mfebopk;McAfee Inc. mfebopk;e:\windows\system32\drivers\mfebopk.sys [2009-6-29 42424] S3 mferkdet;McAfee Inc. mferkdet;e:\windows\system32\drivers\mferkdet.sys [2009-6-29 64432] =============== Created Last 30 ================ 2009-07-07 18:51 38,160 a------- e:\windows\system32\drivers\mbamswissarmy.sys 2009-07-07 18:51 19,096 a------- e:\windows\system32\drivers\mbam.sys 2009-07-07 18:51 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware 2009-07-07 18:51 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes 2009-06-29 16:54 340,592 a------- e:\windows\system32\drivers\mfehidk.sys 2009-06-29 16:54 90,360 a------- e:\windows\system32\drivers\mfeavfk.sys 2009-06-29 16:54 74,648 a------- e:\windows\system32\drivers\mfeapfk.sys 2009-06-29 16:54 64,432 a------- e:\windows\system32\drivers\mferkdet.sys 2009-06-29 16:54 62,704 a------- e:\windows\system32\drivers\mfetdik.sys 2009-06-29 16:54 42,424 a------- e:\windows\system32\drivers\mfebopk.sys 2009-06-29 16:54 67,904 a------- e:\windows\system32\mfevtps.exe 2009-06-28 19:18 5,632 a------- e:\windows\system32\ptpusb.dll 2009-06-28 19:18 159,232 a------- e:\windows\system32\ptpusd.dll 2009-06-13 22:01 <DIR> --d----- e:\docume~1\alluse~1\applic~1\TomTom 2009-06-13 21:59 <DIR> --d----- e:\docume~1\owner\applic~1\TomTom 2009-06-13 21:59 <DIR> --d----- e:\program files\TomTom International B.V 2009-06-13 21:58 <DIR> --d----- e:\program files\TomTom HOME 2 ==================== Find3M ==================== ============= FINISH: 22:17:35.23 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-06-26.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 2/14/2009 3:56:12 PM System Uptime: 7/8/2009 3:39:37 PM (7 hours ago) Motherboard: Dell Computer Corp. | | 0K8980 Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 466 GiB total, 465.661 GiB free. D: is CDROM (CDFS) E: is FIXED (NTFS) - 149 GiB total, 109.199 GiB free. F: is FIXED (FAT32) - 233 GiB total, 6.37 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Multimedia Audio Controller Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD Manufacturer: Name: Multimedia Audio Controller PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD Service: ==== System Restore Points =================== No restore point in system. ==== Installed Programs ====================== Acrobat.com Ad-Aware Adobe AIR Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Help Viewer CS3 Adobe Illustrator CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop CS3 Adobe Reader 9.1.2 Adobe Setup Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AIM 6 BitComet 1.09 Choice Guard CINEMA 4D Release 11 Combined Community Codec Pack 2008-09-21 16:18 Conexant D850 56K V.9x DFVc Modem Critical Update for Windows Media Player 11 (KB959772) Google Gmail Notifier Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB915800-v4) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Intel® Extreme Graphics 2 Driver Intel® PRO Network Adapters and Drivers Macromedia Dreamweaver 8 Macromedia Extension Manager Macromedia Flash 8 Macromedia Flash 8 Video Encoder Macromedia Flash Player 8 Malwarebytes' Anti-Malware McAfee Agent McAfee AntiSpyware Enterprise Module McAfee VirusScan Enterprise Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft User-Mode Driver Framework Feature Pack 1.0 Mozilla Firefox (3.0.11) MSVCRT NET Render Release 11 PDF Settings Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Segoe UI TomTom HOME 2.6.4.1641 TomTom HOME Visual Studio Merge Modules UnInstall Envy24 Family Audio Device Driver Update for Windows XP (KB898461) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 Wacom Tablet WebFldrs XP Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Messenger Windows Live Sign-in Assistant Windows Live Upload Tool Windows Media Format 11 runtime Windows Media Player 11 Windows Search 4.0 Windows XP Service Pack 3 WinRAR archiver ==== Event Viewer Messages From Past Week ======== 7/7/2009 3:32:42 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) ==== End Of File ===========================

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,104 posts
  • Gender:Female


Posted 09 July 2009 - 08:54 AM

Hi and welcome


Download worksnow from HERE:

* IMPORTANT !!! Save worksnow to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on worksnow & follow the prompts.

    Note: worksnow will run without the Recovery Console installed.
  • As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.



In your next reply post:
C:\ComboFix.txt
new DDS log
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#3 lechau

lechau

    New Member

  • Members
  • 9 posts

Posted 09 July 2009 - 10:20 AM

ComboFix 09-07-08.08 - Owner 07/09/2009 11:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1669 [GMT -4:00]
Running from: e:\documents and settings\Owner\Desktop\worksnow.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\drivers\gaopdxqptkiqllnstyqxotobwucbfxmepfdjws.sys
e:\windows\system32\gaopdxbwxirnxxypdbegeepvpbexuaktimxsiv.dll
e:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-07 22:51 . 2009-06-17 15:27 38160 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 22:51 . 2009-07-08 19:42 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-07 22:51 . 2009-07-07 22:51 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 22:51 . 2009-06-17 15:27 19096 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-06-29 20:54 . 2008-09-29 12:07 90360 ----a-w- e:\windows\system32\drivers\mfeavfk.sys
2009-06-29 20:54 . 2008-09-29 12:07 74648 ----a-w- e:\windows\system32\drivers\mfeapfk.sys
2009-06-29 20:54 . 2008-09-29 12:07 64432 ----a-w- e:\windows\system32\drivers\mferkdet.sys
2009-06-29 20:54 . 2008-09-29 12:07 62704 ----a-w- e:\windows\system32\drivers\mfetdik.sys
2009-06-29 20:54 . 2008-09-29 12:07 42424 ----a-w- e:\windows\system32\drivers\mfebopk.sys
2009-06-29 20:54 . 2008-09-29 12:07 340592 ----a-w- e:\windows\system32\drivers\mfehidk.sys
2009-06-29 20:54 . 2008-09-29 12:07 67904 ----a-w- e:\windows\system32\mfevtps.exe
2009-06-28 23:18 . 2001-08-18 02:36 5632 ----a-w- e:\windows\system32\ptpusb.dll
2009-06-28 23:18 . 2008-04-14 09:42 159232 ----a-w- e:\windows\system32\ptpusd.dll
2009-06-23 04:45 . 2009-06-23 04:45 -------- d-----w- e:\documents and settings\Owner\Local Settings\Application Data\AOL OCP
2009-06-23 04:45 . 2009-06-23 04:45 -------- d-----w- e:\documents and settings\Owner\Local Settings\Application Data\AOL
2009-06-14 02:01 . 2009-06-14 02:01 -------- d-----w- e:\documents and settings\All Users\Application Data\TomTom
2009-06-14 01:59 . 2009-06-14 01:59 -------- d-----w- e:\documents and settings\Owner\Local Settings\Application Data\TomTom
2009-06-14 01:59 . 2009-06-14 01:59 -------- d-----w- e:\documents and settings\Owner\Application Data\TomTom
2009-06-14 01:59 . 2009-06-14 01:59 -------- d-----w- e:\program files\TomTom International B.V
2009-06-14 01:58 . 2009-06-14 01:58 -------- d-----w- e:\program files\TomTom HOME 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 14:57 . 2009-02-16 00:11 -------- d-----w- e:\documents and settings\Owner\Application Data\WTablet
2009-07-09 14:57 . 2009-02-17 19:53 -------- d-----w- e:\documents and settings\LocalService\Application Data\WTablet
2009-06-28 02:39 . 2009-04-11 00:21 -------- d-----w- e:\documents and settings\Bach Tran\Application Data\WTablet
2009-06-18 02:31 . 2009-02-14 22:02 -------- d-----w- e:\program files\BitComet
2009-06-13 04:36 . 2009-02-15 00:37 -------- d-----w- e:\program files\Common Files\Adobe
2009-04-11 00:21 . 2009-04-11 00:21 15712 ----a-w- e:\documents and settings\Bach Tran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-29 12:07 . 2009-05-16 22:55 22576 ----a-w- e:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="e:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-06-03 251240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="e:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"igfxtray"="e:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="e:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="e:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Ad-Watch"="e:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="e:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"EnvyHFCPL"="e:\program files\Audio Deck\EnMixCPL.exe" [2004-12-09 3895296]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ShStatEXE"="e:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - e:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"e:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"e:\\Program Files\\AIM6\\aim6.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Program Files\\BitComet\\BitComet.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12829:TCP"= 12829:TCP:BitComet 12829 TCP
"12829:UDP"= 12829:UDP:BitComet 12829 UDP

R0 Lbd;Lbd;e:\windows\system32\drivers\Lbd.sys [2/14/2009 4:59 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 951632]
R2 McAfeeEngineService;McAfee Engine Service;e:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;e:\windows\system32\mfevtps.exe [6/29/2009 4:54 PM 67904]
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [2/15/2009 8:10 PM 2749224]
R2 TomTomHOMEService;TomTomHOMEService;e:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/3/2009 8:46 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\Viewpoint\Common\ViewpointService.exe [2/14/2009 4:38 PM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);e:\windows\system32\drivers\A3AB.sys [5/23/2007 5:15 AM 547744]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;e:\windows\system32\drivers\Envy24HF.sys [4/11/2009 2:20 PM 577664]
R3 wacmoumonitor;Wacom Mode Helper;e:\windows\system32\drivers\wacmoumonitor.sys [2/15/2009 8:10 PM 15656]
S3 mferkdet;McAfee Inc. mferkdet;e:\windows\system32\drivers\mferkdet.sys [6/29/2009 4:54 PM 64432]
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 e:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:02]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\79qo1owr.default\
FF - prefs.js: browser.startup.homepage - www.deviantart.com
FF - component: e:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: e:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
e:\windows\system32\sirenacm.dll
.
Completion time: 2009-07-09 11:09
ComboFix-quarantined-files.txt 2009-07-09 15:09

Pre-Run: 117,156,925,440 bytes free
Post-Run: 117,197,443,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

145 --- E O F --- 2009-03-19 07:01



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:42 AM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
E:\Program Files\McAfee\Common Framework\FrameworkService.exe
E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
E:\WINDOWS\system32\mfevtps.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\WINDOWS\system32\SearchIndexer.exe
E:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\SearchProtocolHost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - E:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [EnvyHFCPL] E:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - Global Startup: Windows Search.lnk = E:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.62,85.255.112.231
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - E:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - E:\WINDOWS\system32\mfevtps.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - E:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6340 bytes

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,104 posts
  • Gender:Female


Posted 09 July 2009 - 12:27 PM

Welcome back


Presence of a nasty rootkit on the machine.
Your System is Infected with a Backdoor!!
Backdoors infections can cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.
Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine.


If you would like to continue and clean the computer we'll proceed.


Please print or copy these instructions to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.62,85.255.112.231

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
Please download OTM
  • Save it to your desktop.
  • Double click the Posted Image icon on your desktop. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    . ( Make sure you include :Processes )
:Processes
:reg
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1D151405-7CDE-478A-B226-921BFC30DCCC}]
"NameServer"=""
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Paste the following code under the Posted Image area. Do not include the word "Code"
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click Push the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can also be found here:

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
Where mmddyyyy_hhmmss is the date of the tool run.




NEXT**
Attempt to start and update Malwarebytes AntiMalware and let's see if we can get a scan from that now.




In your next reply post:
OTM log
MBAM log
new HJT log
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#5 lechau

lechau

    New Member

  • Members
  • 9 posts

Posted 09 July 2009 - 04:55 PM

Oh man, I can't believe it was that bad. I'll definitely work on cleaning it, but do you think for the long run it should be wiped? All processes killed ========== PROCESSES ========== ========== REGISTRY ========== HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1D151405-7CDE-478A-B226-921BFC30DCCC}\\"NameServer"|"" /E : value set successfully! ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Bach Tran ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->FireFox cache emptied: 15730914 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: LocalService ->Temp folder emptied: 0 bytes File delete failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32902 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Owner ->Temp folder emptied: 3862 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->FireFox cache emptied: 88487578 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 1138887 bytes %systemroot%\System32 .tmp files removed: 2577 bytes Windows Temp folder emptied: 49909760 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 148.18 mb OTM by OldTimer - Version 3.0.0.4 log created on 07092009_155820 Files moved on Reboot... Registry entries deleted on Reboot... Malwarebytes' Anti-Malware 1.38 Database version: 2400 Windows 5.1.2600 Service Pack 3 7/9/2009 5:51:19 PM mbam-log-2009-07-09 (17-51-19).txt Scan type: Full Scan (C:\|E:\|F:\|) Objects scanned: 229981 Time elapsed: 1 hour(s), 0 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#6 lechau

lechau

    New Member

  • Members
  • 9 posts

Posted 09 July 2009 - 04:56 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:25 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
E:\Program Files\McAfee\Common Framework\FrameworkService.exe
E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
E:\WINDOWS\system32\mfevtps.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\WINDOWS\system32\SearchIndexer.exe
E:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\McAfee\Common Framework\udaterui.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Program Files\McAfee\Common Framework\McTray.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
E:\Program Files\Audio Deck\EnMixCPL.exe
E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
E:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\WINDOWS\system32\SearchProtocolHost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - E:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [EnvyHFCPL] E:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - Global Startup: Windows Search.lnk = E:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - E:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - E:\WINDOWS\system32\mfevtps.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - E:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6518 bytes

#7 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,104 posts
  • Gender:Female


Posted 09 July 2009 - 05:50 PM

Oh man, I can't believe it was that bad. I'll definitely work on cleaning it, but do you think for the long run it should be wiped?

Thats a decision you have to make. Although it appears it's being removed, damage may have occurred.
From what I'm seeing now, let's hold off on that for right now.



Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================






NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky...apter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's your computer now?
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#8 lechau

lechau

    New Member

  • Members
  • 9 posts

Posted 10 July 2009 - 05:18 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 17:25:35
Records in database: 2456950
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 144254
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:16:15


File name / Threat name / Threats count
E:\Qoobox\Quarantine\E\WINDOWS\system32\drivers\_gaopdxqptkiqllnstyqxotobwucbfxmepfdjws_.sys.zip Infected: Trojan.Win32.Tdss.zos 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:27 PM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
E:\Program Files\McAfee\Common Framework\FrameworkService.exe
E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
E:\WINDOWS\system32\mfevtps.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\WINDOWS\system32\SearchIndexer.exe
E:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\McAfee\Common Framework\udaterui.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
E:\Program Files\Audio Deck\EnMixCPL.exe
E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
E:\Program Files\McAfee\Common Framework\McTray.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
E:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Java\jre6\bin\java.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - E:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [EnvyHFCPL] E:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - Global Startup: Windows Search.lnk = E:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - E:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - E:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - E:\WINDOWS\system32\mfevtps.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - E:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TomTomHOMEService - TomTom - E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7157 bytes


My computer is running a lot better now. McAfee isn't getting disabled anymore.

#9 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,104 posts
  • Gender:Female


Posted 11 July 2009 - 06:29 AM

My computer is running a lot better now. McAfee isn't getting disabled anymore.

Yes, looking good now :tup:


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.co...cle.php/3561546
Additional info: http://vil.nai.com/v...nt/v_137262.htm
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application.
If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.

Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the
following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"E:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Don't miss or skip this next step, this will remove those malicious files from quarantine and set a clean restore point.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
Example below


Posted Image


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next open OTM, then click on "CleanUp". If you receive a warning from your Firewall please allow...In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OTMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.

Then reboot your computer.




Your good to go, good job!



Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet...owcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsuppo...-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#10 lechau

lechau

    New Member

  • Members
  • 9 posts

Posted 12 July 2009 - 01:01 AM

Thank you so much for taking the time to help me out with this, Juliet! You're the best.

#11 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,104 posts
  • Gender:Female


Posted 12 July 2009 - 06:26 AM

Glad we could help :sparkle:
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#12 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,104 posts
  • Gender:Female


Posted 14 July 2009 - 09:48 PM

Glad we could help. :)Posted Image

Since this issue appears resolved ... this Topic is closed.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users