TechSpot

Malware infection - please help!

By alchemist
Apr 26, 2010
  1. Hi there,

    I recently managed to aquire some kind of malware infection on my girlfriend's computer...

    It came up originally as "Antimalware Doctor" and "XP defender". I tried to follow some online instructions for removal, using MBAM, but this closed as soon as i pressed "OK" at the end of the scan, without letting me clean up.

    The malware seemingly prevented access to safer-networking.com, making downloading spybot difficult, though I managed to get it in the end. Then it wouldn't update, and wouldn't scan without updating, so I got a friend to send the update file over. I managed to scan it, and it seemed to find a lot of stuff and clean it up.

    Then I tried to install avast!, and disable the copy of McAfee obtained from University - I wanted to have more control over the setting, as the uni copy setting were fixed. I installed avast!, but it said the trial period had ended as soon as I installed it (even though I downloaded the free one), and I couldn't register or update at all. I tried to uninstall using add/remove programs, then using Zsoft uninstaller (which was on the system already) then tried to download the uninstall file from the avast website, but the first two didn't even show up avast as present on the system, and i can't access the download from the website at all...

    Then I installed avira, which seems to be ok.

    Then, something called "XP antimalware" appeared, and I repeated the spybot scan and avira scan, and removed the threats found, but I still seem to be having problems...

    So, here are the symptoms:

    Diversion of google search results.

    Random opening of web pages.

    System restore blocked

    Microsoft office won't open

    Can't Download latest IE from microsoft, have only go IE5 on computer so can't update things with it

    Can't uninstall avast!

    And that's all I can think of right now - I have used Hijackthis and tried to remove one or two BHO's, but they persist...


    Sorry for going on a bit, and thanks so much for your help!
     
  2. choseninvisible

    choseninvisible TS Rookie

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, alchemist. I'll help with the malware.

    Please ignore the Stopzilla suggestion- it is not appropriate.

    Please follow these steps in out Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs in your next reply for review.

    Please do not run any other cleaning or scanning programs while I am helping you, unless I instruct you to. Do not use a Registry cleaner or make any Registry changes.
     
  4. alchemist

    alchemist TS Rookie Topic Starter

    Hi Bobbye,

    Thanks very much for your help - it may take a while for me to post the logs as they are on a computer a few hundred miles away right now - will do my best to be timely though!

    Thanks again!
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, whenever. Best I have all the logs together on same post if you can.
     
  6. alchemist

    alchemist TS Rookie Topic Starter

    Avira

    Couldn't manage to run Malwarebyte's anti-malaware. I did run Spybot, but couldn't locate the log. Also include the hijack this log. Hope this is ok.


    Avira AntiVir Personal
    Report file date: 26 April 2010 20:03

    Scanning for 2042040 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 2) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : YOUR-447023AE6B

    Version information:
    BUILD.DAT : 10.0.0.567 32097 Bytes 19/04/2010 15:07:00
    AVSCAN.EXE : 10.0.3.0 433832 Bytes 01/04/2010 12:37:38
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04
    LUKE.DLL : 10.0.2.3 104296 Bytes 07/03/2010 18:33:04
    LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 19:27:49
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 17:37:42
    VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 16:37:42
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 05/03/2010 11:29:03
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 00:41:49
    VBASE006.VDF : 7.10.6.83 2048 Bytes 15/04/2010 00:41:49
    VBASE007.VDF : 7.10.6.84 2048 Bytes 15/04/2010 00:41:49
    VBASE008.VDF : 7.10.6.85 2048 Bytes 15/04/2010 00:41:49
    VBASE009.VDF : 7.10.6.86 2048 Bytes 15/04/2010 00:41:49
    VBASE010.VDF : 7.10.6.87 2048 Bytes 15/04/2010 00:41:49
    VBASE011.VDF : 7.10.6.88 2048 Bytes 15/04/2010 00:41:50
    VBASE012.VDF : 7.10.6.89 2048 Bytes 15/04/2010 00:41:50
    VBASE013.VDF : 7.10.6.90 2048 Bytes 15/04/2010 00:41:50
    VBASE014.VDF : 7.10.6.123 126464 Bytes 19/04/2010 00:41:50
    VBASE015.VDF : 7.10.6.152 123392 Bytes 21/04/2010 00:41:51
    VBASE016.VDF : 7.10.6.178 122880 Bytes 22/04/2010 00:41:51
    VBASE017.VDF : 7.10.6.179 2048 Bytes 22/04/2010 00:41:51
    VBASE018.VDF : 7.10.6.180 2048 Bytes 22/04/2010 00:41:51
    VBASE019.VDF : 7.10.6.181 2048 Bytes 22/04/2010 00:41:51
    VBASE020.VDF : 7.10.6.182 2048 Bytes 22/04/2010 00:41:51
    VBASE021.VDF : 7.10.6.183 2048 Bytes 22/04/2010 00:41:51
    VBASE022.VDF : 7.10.6.184 2048 Bytes 22/04/2010 00:41:51
    VBASE023.VDF : 7.10.6.185 2048 Bytes 22/04/2010 00:41:52
    VBASE024.VDF : 7.10.6.186 2048 Bytes 22/04/2010 00:41:52
    VBASE025.VDF : 7.10.6.187 2048 Bytes 22/04/2010 00:41:52
    VBASE026.VDF : 7.10.6.188 2048 Bytes 22/04/2010 00:41:52
    VBASE027.VDF : 7.10.6.189 2048 Bytes 22/04/2010 00:41:52
    VBASE028.VDF : 7.10.6.190 2048 Bytes 22/04/2010 00:41:52
    VBASE029.VDF : 7.10.6.191 2048 Bytes 22/04/2010 00:41:52
    VBASE030.VDF : 7.10.6.192 2048 Bytes 22/04/2010 00:41:52
    VBASE031.VDF : 7.10.6.203 120320 Bytes 26/04/2010 15:23:02
    Engineversion : 8.2.1.224
    AEVDF.DLL : 8.1.2.0 106868 Bytes 25/04/2010 00:41:58
    AESCRIPT.DLL : 8.1.3.27 1294714 Bytes 25/04/2010 00:41:58
    AESCN.DLL : 8.1.5.0 127347 Bytes 25/02/2010 18:38:41
    AESBX.DLL : 8.1.3.1 254324 Bytes 25/04/2010 00:41:58
    AERDL.DLL : 8.1.4.6 541043 Bytes 25/04/2010 00:41:57
    AEPACK.DLL : 8.2.1.1 426358 Bytes 19/03/2010 12:34:51
    AEOFFICE.DLL : 8.1.0.41 201083 Bytes 17/03/2010 11:09:46
    AEHEUR.DLL : 8.1.1.24 2613623 Bytes 25/04/2010 00:41:56
    AEHELP.DLL : 8.1.11.3 242039 Bytes 01/04/2010 16:05:25
    AEGEN.DLL : 8.1.3.7 373106 Bytes 25/04/2010 00:41:54
    AEEMU.DLL : 8.1.2.0 393588 Bytes 25/04/2010 00:41:53
    AECORE.DLL : 8.1.13.1 188790 Bytes 01/04/2010 16:05:25
    AEBB.DLL : 8.1.1.0 53618 Bytes 25/04/2010 00:41:53
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38
    AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35
    AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40
    AVREG.DLL : 10.0.3.0 53096 Bytes 01/04/2010 12:35:46
    AVSCPLR.DLL : 10.0.3.0 83816 Bytes 01/04/2010 12:39:51
    AVARKT.DLL : 10.0.0.14 227176 Bytes 01/04/2010 12:22:13
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20
    RCTEXT.DLL : 10.0.53.0 97128 Bytes 09/04/2010 14:14:29

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium
    Deviating risk categories...........: +PFS,

    Start of the scan: 26 April 2010 20:03

    Starting search for hidden objects.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwfilesscanned
    [NOTE] The registry entry is invisible.
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\type
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\start
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\errorcontrol
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\group
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\group
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\spc3m7q
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\yvnf4xy6
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\mih8gj2e7
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\type
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\start
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\errorcontrol
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\spc3m7q
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\yvnf4xy6
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\mih8gj2e7
    [NOTE] The registry entry is invisible.

    The scan of running processes will be started
    Scan process 'vssvc.exe' - '39' Module(s) have been scanned
    Scan process 'avscan.exe' - '72' Module(s) have been scanned
    Scan process 'AVCENTER.EXE' - '59' Module(s) have been scanned
    Scan process 'wlcomm.exe' - '68' Module(s) have been scanned
    Scan process 'svchost.exe' - '43' Module(s) have been scanned
    Scan process 'SeaPort.exe' - '43' Module(s) have been scanned
    Scan process 'HPZIPM12.EXE' - '24' Module(s) have been scanned
    Scan process 'naPrdMgr.exe' - '34' Module(s) have been scanned
    Scan process 'soffice.bin' - '82' Module(s) have been scanned
    Scan process 'vstskmgr.exe' - '47' Module(s) have been scanned
    Scan process 'soffice.exe' - '20' Module(s) have been scanned
    Scan process 'mcshield.exe' - '60' Module(s) have been scanned
    Scan process 'ave.exe' - '48' Module(s) have been scanned
    Scan process 'C&WWLAN.EXE' - '34' Module(s) have been scanned
    Scan process 'FrameworkService.exe' - '69' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '19' Module(s) have been scanned
    Scan process 'ALCWZRD.EXE' - '29' Module(s) have been scanned
    Scan process 'jqs.exe' - '34' Module(s) have been scanned
    Scan process 'APDPROXY.EXE' - '39' Module(s) have been scanned
    Scan process 'AVGNT.EXE' - '50' Module(s) have been scanned
    Scan process 'HPZTSB08.EXE' - '22' Module(s) have been scanned
    Scan process 'MSNMSGR.EXE' - '138' Module(s) have been scanned
    Scan process 'HPSYSDRV.EXE' - '18' Module(s) have been scanned
    Scan process 'SSAAD.EXE' - '26' Module(s) have been scanned
    Scan process 'TEATIMER.EXE' - '29' Module(s) have been scanned
    Scan process 'UPDATERUI.EXE' - '35' Module(s) have been scanned
    Scan process 'TBMON.EXE' - '20' Module(s) have been scanned
    Scan process 'KBD.EXE' - '52' Module(s) have been scanned
    Scan process 'SOUNDMAN.EXE' - '24' Module(s) have been scanned
    Scan process 'SHSTAT.EXE' - '33' Module(s) have been scanned
    Scan process 'IGFXPERS.EXE' - '26' Module(s) have been scanned
    Scan process 'HKCMD.EXE' - '25' Module(s) have been scanned
    Scan process 'svchost.exe' - '37' Module(s) have been scanned
    Scan process 'sched.exe' - '50' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '64' Module(s) have been scanned
    Scan process 'AvastSvc.exe' - '67' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '104' Module(s) have been scanned
    Scan process 'svchost.exe' - '43' Module(s) have been scanned
    Scan process 'svchost.exe' - '38' Module(s) have been scanned
    Scan process 'svchost.exe' - '174' Module(s) have been scanned
    Scan process 'svchost.exe' - '44' Module(s) have been scanned
    Scan process 'svchost.exe' - '55' Module(s) have been scanned
    Scan process 'avshadow.exe' - '30' Module(s) have been scanned
    Scan process 'avguard.exe' - '60' Module(s) have been scanned
    Scan process 'lsass.exe' - '62' Module(s) have been scanned
    Scan process 'services.exe' - '55' Module(s) have been scanned
    Scan process 'winlogon.exe' - '64' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!
    Master boot sector HD2
    [INFO] No virus was found!
    Master boot sector HD3
    [INFO] No virus was found!
    Master boot sector HD4
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '2450' files ).


    Starting the file scan:

    Begin scan in 'C:\' <HP_PAVILION>
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155338-870.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155502-111.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155548-893.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163821-856.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163911-226.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-211321-352.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213142-366.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213348-240.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100425-195501-891.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    C:\WINDOWS\system32\drivers\mugcvmlh.sys
    [DETECTION] Is the TR/Rootkit.Gen Trojan
    C:\WINDOWS\system32\spool\prtprocs\w32x86\00000980.tmp
    [DETECTION] Is the TR/Meredrop.A.8358 Trojan
    C:\WINDOWS\system32\spool\prtprocs\w32x86\000025b5.tmp
    [DETECTION] Is the TR/Meredrop.A.8358 Trojan
    Begin scan in 'D:\' <HP_RECOVERY>

    Beginning disinfection:
    C:\WINDOWS\system32\spool\prtprocs\w32x86\000025b5.tmp
    [DETECTION] Is the TR/Meredrop.A.8358 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '46995e73.qua'.
    C:\WINDOWS\system32\spool\prtprocs\w32x86\00000980.tmp
    [DETECTION] Is the TR/Meredrop.A.8358 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5e0e71d4.qua'.
    C:\WINDOWS\system32\drivers\mugcvmlh.sys
    [DETECTION] Is the TR/Rootkit.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0c682149.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100425-195501-891.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6a5b6506.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213348-240.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '2fdf4838.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213142-366.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '50c47a59.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-211321-352.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '1c7c5613.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163911-226.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '60641643.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163821-856.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4d3e390e.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155548-893.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '54560294.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155502-111.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '380a2ea4.qua'.
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155338-870.dll
    [DETECTION] Is the TR/Ertfor.B.30 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '49b31731.qua'.


    End of the scan: 26 April 2010 21:42
    Used time: 1:38:49 Hour(s)

    The scan has been done completely.

    11268 Scanned directories
    676838 Files were scanned
    12 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    12 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    676826 Files not concerned
    15172 Archives were scanned
    0 Warnings
    11 Notes
    575462 Objects were scanned with rootkit scan
    17 Hidden objects were found
     
  7. alchemist

    alchemist TS Rookie Topic Starter

    Hijack this

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 21:53:56, on 27/04/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM32\HKCMD.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\SHSTAT.EXE
    C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.0\APPS\APDPROXY.EXE
    C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
    C:\WINDOWS\SYSTEM32\IGFXPERS.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
    C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\AVGNT.EXE
    C:\PROGRAM FILES\CABLE&WIRELESS\C&W_802.11G_UTILITY\C&WWLAN.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB08.EXE
    C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe
    C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.exe
    C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.bin
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    c:\program files\avira\antivir desktop\avcenter.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
    C:\WINDOWS\hh.exe
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
    O2 - BHO: C:\WINDOWS\system32\nizv3i.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\nizv3i.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Cable & Wireless 11g Wireless USB.lnk = C:\Program Files\Cable&Wireless\C&W_802.11g_Utility\C&WWLAN.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?8f3cee86c6194798af5898b27da23199
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?8f3cee86c6194798af5898b27da23199
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0DC64E-DAAA-4C9C-8844-8A365B79F4A9}: NameServer = 93.188.162.37,93.188.166.126
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B3206333-EAFE-4F0C-8581-7076D885B94A}: NameServer = 93.188.162.37,93.188.166.126
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\nizv3i.dll (file missing)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

    --
    End of file - 9812 bytes
     
  8. alchemist

    alchemist TS Rookie Topic Starter

    DDS

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by HP_Owner at 7:55:56.90 on 27/04/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1015.310 [GMT 1:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\SHSTAT.EXE
    C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.0\APPS\APDPROXY.EXE
    C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
    C:\WINDOWS\SYSTEM32\IGFXPERS.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
    C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\AVGNT.EXE
    C:\PROGRAM FILES\CABLE&WIRELESS\C&W_802.11G_UTILITY\C&WWLAN.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB08.EXE
    C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe
    C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.exe
    C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.bin
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bbc.co.uk/news
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: c:\windows\system32\nizv3i.dll: {a2ba40a0-74f1-52bd-f411-00b15a2c8953} - c:\windows\system32\nizv3i.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
    mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
    mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
    mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [KBD] c:\hp\kbd\KBD.EXE
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
    StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cable&~1.lnk - c:\program files\cable&wireless\c&w_802.11g_utility\C&WWLAN.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
    IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?8f3cee86c6194798af5898b27da23199
    IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?8f3cee86c6194798af5898b27da23199
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    TCP: NameServer = 93.188.162.37,93.188.166.126
    TCP: {7B0DC64E-DAAA-4C9C-8844-8A365B79F4A9} = 93.188.162.37,93.188.166.126
    TCP: {B3206333-EAFE-4F0C-8581-7076D885B94A} = 93.188.162.37,93.188.166.126
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    STS: c:\windows\system32\nizv3i.dll: {a2ba40a0-74f1-52bd-f411-00b15a2c8953} - c:\windows\system32\nizv3i.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\5kchrwyl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-24 162768]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-25 11608]
    R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-8-4 58464]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-25 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-25 267432]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-24 40384]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-25 60936]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-8-4 102463]
    R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]
    R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]
    R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-8-4 108480]
    S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-24 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-24 40384]
    S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [2008-3-5 26656]
    S3 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-4-21 52080]
    S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2006-9-2 87824]
    S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2006-9-2 85696]
    S3 ZD1211U(Cable & Wireless);Cable & Wireless 802.11g Series Wireless LAN USB(Cable & Wireless);c:\windows\system32\drivers\ZD1211U.sys [2007-12-17 259584]
    S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2007-12-17 19200]
    S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
    S4 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-24 64288]
    S4 opxi;opxi;c:\windows\system32\drivers\pdmqf.sys [2010-4-24 54016]

    ============== File Associations ===============

    scrfile="%1" %*

    =============== Created Last 30 ================

    2010-04-26 10:09:27 0 d-----w- c:\docume~1\hp_owner\applic~1\OpenOffice.org
    2010-04-26 09:49:22 0 d-----w- c:\program files\JRE
    2010-04-26 09:48:48 0 d-----w- c:\program files\OpenOffice.org 3
    2010-04-25 13:52:43 0 d-----w- c:\windows\pss
    2010-04-25 00:46:19 0 d-----w- c:\docume~1\hp_owner\applic~1\Avira
    2010-04-25 00:39:13 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-04-25 00:39:13 0 d-----w- c:\program files\Avira
    2010-04-25 00:39:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-04-24 20:46:36 0 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe
    2010-04-24 20:05:17 610 ----a-w- C:\unhookexec.inf
    2010-04-24 19:44:35 1341 ----a-w- C:\regtools.vbs
    2010-04-24 19:22:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-04-24 18:56:44 0 d-----w- c:\program files\CCleaner
    2010-04-24 14:59:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-04-24 14:58:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-04-24 14:24:03 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-24 14:24:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-04-24 14:15:08 54016 ----a-w- c:\windows\system32\drivers\pdmqf.sys
    2010-04-24 13:07:19 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
    2010-04-24 13:07:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-04-24 12:51:18 161280 ----a-w- c:\windows\Jgyxub.exe
    2010-04-24 12:43:34 49664 ----a-w- c:\windows\system32\pragmabbr.dll
    2010-04-24 12:43:27 49664 ----a-w- c:\windows\system32\pragmaserf.dll
    2010-04-24 12:43:25 0 d-----w- c:\docume~1\hp_owner\applic~1\Smart-Ads-Solutions
    2010-04-24 12:43:24 0 d-----w- c:\docume~1\hp_owner\applic~1\ezLife
    2010-04-24 12:43:22 0 d-----w- c:\windows\PRAGMAecrjibapuy
    2010-04-24 12:42:57 48272 ----a-w- c:\windows\system32\wjcqmdkppln.exe
    2010-04-24 12:42:56 823808 ----a-w- c:\windows\system32\drivers\mugcvmlh.sys
    2010-04-24 12:42:53 0 d-----w- c:\program files\Smart-Ads-Solutions
    2010-04-24 12:42:40 0 d-----w- c:\program files\ezLife
    2010-04-24 12:42:28 161280 ----a-w- c:\windows\Jgyxua.exe
    2010-04-24 12:42:12 0 d-----w- c:\docume~1\hp_owner\applic~1\D7456CDA39810E664ECE973CF6226D01
    2010-04-17 17:08:28 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-04-15 10:58:44 384512 ----a-w- c:\windows\system32\iskwdghfkwv.dll

    ==================== Find3M ====================

    2010-04-26 23:56:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
    2010-04-26 23:56:00 36352 ----a-w- c:\windows\system32\dllcache\disk.sys
    2010-04-26 09:47:37 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-23 16:17:23 46564 ----a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat
    2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\dllcache\vbscript.dll
    2010-03-10 05:21:20 1506304 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
    2010-03-10 05:21:13 1023488 ----a-w- c:\windows\system32\dllcache\browseui.dll
    2010-02-25 10:53:09 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
    2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:19:55 2181376 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-02-16 13:17:38 2137088 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-16 12:39:04 2058368 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-02-16 12:39:04 2016768 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\dllcache\6to4svc.dll
    2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:01:43 226880 ----a-w- c:\windows\system32\dllcache\tcpip6.sys
    2006-05-21 19:12:27 22 --sha-w- c:\windows\sminst\HPCD.sys

    ============= FINISH: 7:57:37.62 ===============
     
  9. alchemist

    alchemist TS Rookie Topic Starter

    GMER and attach

    Here are the final two logs. Many thanks for your help.
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system has three antivirus programs running. Please remove two of them- keep only one. I am including tools to help with the uninstalls. Get only the two you're removing:
    Avast Removal
    McAfee Removal
    To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Choose the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.

    Multiple AV programs can make a system more vulnerable, not less and it can also slow the system down.
    ==============================================
    Additionally, there is a fake AV program running here: Malwarebytes should remove it:
    C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe

    And there is a Rootkit. So we start here:
    ======================================
    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
    ===============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    It's important you run only those programs I ask you to run and then only when I request them. I didn't need HJT yet, but you do need to run Malwarebytes. Please do not use any other cleaning or scanning programs while I'm helping you. Don't use a Registry cleaner or make any changes in the Registry.

    This system is badly infected. It's going to take some work. All of the cleaning tools will be removed when we're through.
     
  11. alchemist

    alchemist TS Rookie Topic Starter

    Hi,

    Thanks very much for your reply.

    I've got a couple of issues here...

    Firstly, one of the problems is that we can't remove avast, though I have now downloaded the removal tool on another computer, so hopefully this will work.

    Secondly, While we did run malwarebytes originally (at the advice from another site when we first noticed the problems) it will no longer run on the system. Is there a way around this - perhaps a portable version? I can't seem to find one...

    Finally, when I did run malwarebytes, it went through the scan ok, but at the end it had a box with an "OK" button to say that the scan had finished, but as soon as I clicked it the program closed down, without allowing me to clean the system... Is there anything we can do about this?

    Thanks again for your help!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why can't you remove Avast? what happens when you try to do it? Did you boot into Safe Mode to run the tool? Try that.

    For the Malwarebytes problem: Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. If it still doesn't work, uninstall the present Mbam and download, save and run it again, being sure to check the section to remove what it finds.

    Once done, try running a scan again
     
  13. alchemist

    alchemist TS Rookie Topic Starter

    Latest logs

    Thanks for your help again. I attach the logs - with a bit of work I managed to remove the redundant virus software and malwarebytes seemed to work also.
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good start! Why I wanted you to run Malwarebytes:
    Registry Keys Infected: 20
    Registry Values Infected: 4
    Registry Data Items Infected: 10
    Folders Infected: 9
    Files Infected: 13


    Why I wanted you to run the TDSSKKiller:
    Driver "atapi" infected by TDSS rootkit!
    ===================
    Now we make sure that all the bad stuff has been found and removed. Before you run the Combofix script, you must disable all of the running security- not just the AV. It means Spybot, AdAware, Avira and TeaTimer:
    Ad-Aware AE Ad-Watch Live!(IF you have paid AdAware)
    • Right click on the Ad-Aware icon in the system tray. [​IMG]
    • Click on Disable Ad-Watch Live!
    • (Once you are clean, you can re-enable Ad-Watch Live! by clicking on Enable Ad-Watch Live!.)
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
    ================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\\Program Files\\uTorrent\\uTorrent.exe
    c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe
    c:\documents and settings\HP_Owner\Application Data\uTorrent
    c:\\Program Files\\BitLord\BitLord.exe
    Folder::
    c:\program files\uTorrent
    c:\\Program Files\\BitLord
    Registry::
    
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    You can restart the security programs when finished.
    ====================
    Then Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I will have you remove all of the cleaning tools when we're finished. I will need a scan with HijackThis if you'd like to do that now also:

    Please download HijackThis HERE.
    1. Save it to a permanent folder (such as C:\HJT).
    2. Open HijackThis, and select Do a system scan and save a logfile.
    3. A Notepad document will open. Please post the contents of that document.

    Edit: Forgot to mention this: I noticed this was done 2010-04-24 19:44 C:\regtools.vbs>> It's a script download to Disable/Enable Registry Editing tools in Windows>> Did you add this? Date is shown.
     
  15. alchemist

    alchemist TS Rookie Topic Starter

    latest logs

    Attached are the latest logs. The registry change on the date you mentioned was done by me, before I got in contact with techspot. Many thanks.
     

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology for the delay.
    I had BitLord removed in the script. When it was removed, it also put all the music downloads in quarantine- I should have given you the option first, whether you wanted to remove the file sharing programs and downloads.

    So I'm asking you now. Open the last Combofix report and view the music that was removed. IF you want it restored, I will try to remove it from quarantine back in to your system. There is a chance that some or any of the files could contain malware and while that has been removed, it could reinfect the system. But I can't pick and choose- so it's all or nothing. Please let me know .

    Sometimes, in trying to help get a system back into good shape, I make a decision on my own when I should have consulted the owner first.
     
  17. alchemist

    alchemist TS Rookie Topic Starter

    Hi there,

    No problem - not bothered about the downloads, can't even remember what they were!

    Cheers!
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay then. How is the system running? You should have picked up some speed. The original issues were:
    Do any remain? Are there any new problems? IF not, the system is now clean and you can:
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if you have any problem setting the new, clean restore point.
     
  19. alchemist

    alchemist TS Rookie Topic Starter

    Thanks

    Thanks very much for all your help - everything seems back to normal now, and I have managed to clean up the tools we used, and set a new system restore point. Thanks again!
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Glad to help. Here's some tips to help keep the system clean:

    Please follow these simple steps to keep your computer clean and secure:

    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. .
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...