Computer was infected- Need a second set of eyes?

Question

Comodore 27 Junior Poster

16 Years Ago

Hey guys,

I was running some antivirus scans from my Ultimate Boot CD (UBCD, www.ubcd4win.com) last night in an effort to find a solution for my inability to delete some folders on my D: drive (the problem persists, I have it posted under the Win XP forum) and I stumbled across some rather nasty infections. I had Microsoft.Windows.System and HitsLink, according to Spybot, and TR/Click.HD, 2 w95/Bumblebee.1738, and several TR/Dropper.gen infections according to Avira Antivir (Curiously, McAfee Stinger and Avast! came back clean. Also, NOD32 never saw any of these!). I managed to delete most of the infections there, then I replaced my NOD32 (which was a trial anyways, and it obviously missed these puppies!) with Antivir, ran another full scan, and re-removed some that weren't able to be removed from my UBCD.

I also downloaded AVG free and ran a fully updated scan. (I ensured that no active protection was installed, so AVG is an on-demand scanner I used for a second opinion to Antivir. It didn't come up with anything)

Anyways, long story short, my scans are comming back clean, but I'm still wary. So I was wondering if you guys would be willing to give me a second opinion on my HijackThis and ComboFix logs- I'm still very very new at reading them. I just learned about ComboFix yesterday, and started working on HijackThis logs today!

Here are the logs:

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:34 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Common Files\AOL\1199171857\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\WorldCommunityGrid\UD.EXE
C:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WorldCommunityGrid\ud_17956201.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WorldCommunityGrid\ud_17956201_0.dir\WCGrid_AutoDock.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.931jackfm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /nodetect
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE" /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1199171857\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE
O4 - Global Startup: Mozy Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} (TMinReq Class) - https://my.sabre.com/jars/TMinReqX.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5110/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14166 bytes

===================================================

ComboFix

ComboFix 08-01-04.1 - John Henry Downing 2008-01-04 23:22:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1344 [GMT -8:00]
Running from: C:\Documents and Settings\John Henry Downing\Desktop\ComboFix(3).exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 23:22 . 2008-01-04 23:22 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-04 23:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 20:38 . 2008-01-04 20:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 14:08 . 2008-01-04 23:13 <DIR> d-------- C:\Documents and Settings\John Henry Downing\Application Data\AVG7
2008-01-04 14:06 . 2008-01-04 14:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-04 14:05 . 2008-01-04 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 14:05 . 2008-01-04 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-04 11:26 . 2008-01-04 11:26 <DIR> d-------- C:\Program Files\Avira
2008-01-04 11:26 . 2008-01-04 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-04 11:23 . 2008-01-04 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-04 11:18 . 2008-01-04 11:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-12-31 23:20 . 2007-12-31 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-31 23:18 . 2007-12-31 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-31 23:17 . 2007-12-31 23:17 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-12-31 23:17 . 2008-01-01 00:02 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-31 23:09 . 2007-12-31 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-30 23:17 . 2007-12-30 23:17 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-30 23:17 . 2007-12-30 23:17 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-29 21:13 . 2007-12-29 21:13 <DIR> d-------- C:\Documents and Settings\John Henry Downing\Application Data\wsInspector
2007-12-29 21:11 . 2007-12-29 21:12 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-12-28 09:41 . 2007-12-28 09:41 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-24 22:22 . 2008-01-04 23:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-24 22:22 . 2007-12-24 22:22 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-24 22:12 . 2007-12-24 22:13 <DIR> d-------- C:\Program Files\iTunes
2007-12-24 22:12 . 2007-12-24 22:12 <DIR> d-------- C:\Program Files\iPod
2007-12-24 22:10 . 2007-12-24 22:10 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 22:09 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-24 22:08 . 2007-12-24 22:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-23 09:52 . 2007-12-23 09:52 <DIR> d-------- C:\Program Files\Alex Feinman
2007-12-19 21:35 . 2007-12-27 23:22 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2007-12-19 21:35 . 2007-12-19 21:35 <DIR> d-------- C:\Documents and Settings\John Henry Downing\Application Data\HouseCall 6.6
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-10 18:57 . 2007-12-28 09:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-10 18:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 07:13 --------- d-----w C:\Program Files\WorldCommunityGrid
2008-01-05 07:11 47,104 ----a-w C:\WINDOWS\system32\Rpcnet.dll
2008-01-05 07:11 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
2008-01-05 04:06 --------- d-----w C:\Program Files\a-squared Free
2008-01-05 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-04 21:52 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-04 21:15 --------- d-----w C:\Program Files\music_now
2008-01-04 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 05:13 --------- d-----w C:\Program Files\Furcadia
2008-01-04 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dragon's Eye Productions
2007-12-31 07:18 --------- d-----w C:\Documents and Settings\John Henry Downing\Application Data\Comodo
2007-12-31 07:17 139,008 ----a-w C:\WINDOWS\system32\guard32.dll.vir
2007-12-31 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-12-30 05:14 --------- d-----w C:\Documents and Settings\John Henry Downing\Application Data\SiteAdvisor
2007-12-26 21:25 --------- d-----w C:\Documents and Settings\John Henry Downing\Application Data\Apple Computer
2007-12-22 23:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 05:57 --------- d-----w C:\Program Files\Trillian
2007-12-20 06:09 --------- d-----w C:\Documents and Settings\John Henry Downing\Application Data\AdobeUM
2007-12-19 22:54 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-04 03:14 --------- d-----w C:\Program Files\Google
2007-12-03 06:01 --------- d-----w C:\Program Files\GemMaster
2007-12-01 05:41 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2007-11-30 23:01 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.dll
2007-11-27 03:41 --------- d-----w C:\Program Files\Apple Software Update
2007-11-27 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-23 21:19 --------- d-----w C:\Program Files\Comodo
2007-11-13 19:43 --------- d-----w C:\Program Files\Activision
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 05:25 --------- d-----w C:\Documents and Settings\John Henry Downing\Application Data\U3
2007-11-05 21:21 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-05 21:19 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 23:08 164 ----a-w C:\install.dat
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2005-09-24 23:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2007-07-15 22:11 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2007-07-02 14:17 2274608 --a------ C:\Program Files\Mozy\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2007-07-02 14:17 2274608 --a------ C:\Program Files\Mozy\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 04:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 01:49 454656]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-04-15 17:26 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 10:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 04:46 761948]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 20:54 102400]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 12:38 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 07:03 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 09:23 1187840]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 12:00 98304]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 10:05 36640]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 18:49 338432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2007-12-30 23:17 1481472]
"HostManager"="C:\Program Files\Common Files\AOL\1199171857\ee\AOLSoftware.exe" [2007-04-12 13:23 42032]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-04 13:05 249896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-04 14:06 579072]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40 5367608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-04 14:06 219136]

C:\Documents and Settings\John Henry Downing\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-11-12]
World Community Grid Agent.lnk - C:\Program Files\WorldCommunityGrid\UD.EXE [2005-04-29 13:12:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Mozy Status.lnk - C:\Program Files\Mozy\mozystat.exe [2007-08-08 12:03:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-30 23:17]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-30 23:17]
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys [2007-07-02 14:17]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 13:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d23557e7-2e37-11dc-9c09-001302ae8eef}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 03:41:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-25 06:05:03 C:\WINDOWS\Tasks\HPCeeSchedule.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
"2007-11-25 01:57:45 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
"2008-01-04 23:00:15 C:\WINDOWS\Tasks\wrSpySweeper_L58AAAE7BE44A43E99CA5913B90DBFA19.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L58AAAE7BE44A43E99CA5913B90DBFA19
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
ExcludeLocations=F:\
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 23:24:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-04 23:25:29
ComboFix-quarantined-files.txt 2008-01-05 07:25:26
.
2007-12-12 00:36:10 --- E O F ---

===========================================================

Any insight would be appreciated!

Thanks for your time,

--The Comodore

//EDIT

Oh, and I forgot, this system is a HP Pavillion DV8000 laptop (2.66 GHz Intel Centrino Duo, 2GB DDR2 memory, 2x 80 GB HDD, NVidia GeForce GO 7600)

Hope this helps,

--The Comodore

EDIT//

windows-virus

4 Contributors
9 Replies
406 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by gerbil

All 9 Replies

crunchie 990 Most Valuable Poster

16 Years Ago

Don't run two antivirus programs at the same time! (I wish you could but it's a bad idea). They'll conflict with eachother (espeically the active protection), each will think parts of the other to be viruses, and just general bad things can happen. It can lead to system lockups and unbootable systems! Neither program will work correctly, either, so you will be *vulnerable to attacks* :p

tut tut :D.

digitalocksmith 52 Posting Whiz in Training

16 Years Ago

‡‡Please print out or copy this page to Notepad since you will can not have any of browsers open while you are fixing this and try to follow it as closely as possible taking it step by step.

If you have any of the below apps installed, uninstall them and update with my suggestions

‡‡Chose either Avira or AVG as your AV, uninstall the other and Update the Antivirus program.

‡‡Please download Spybot Search and Destroy install it and update the program.

[hide]

http://www.safer-networking.org/en/mirrors/index.html

[/hide]

‡‡Please download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it. Wait on installation and running.

[hide]

http://www.atribune.org/ccount/click.php?id=4

[/hide]

‡‡Download CleanUp! and install it. Wait on installation and running.

[hide]

http://www.stevengould.org/downloads/cleanup/CleanUp452.exe

[/hide]

‡‡Please download following program CWSHREDDER. Wait on installation and running.

[hide]

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

[/hide]

‡‡Download about:Buster and save it to your desktop. When it has finished downloading, unzip the folder to your desktop as well. You should now be left with an aboutbuster folder on your desktop.Wait on installation and running.

[hide]

http://www.malwarebytes.org/AboutBuster.zip

[/hide]

‡‡I would suggest though that you download CCleaner. It is a great little program that I use every time I close my browser to get rid of temporary files. I usually just run the cleaner part every time I'm done with the browser.During the install there will be check marks for checking for updates that part I do not use and also to install a tool bar for yahoo or something. Make sure those are unchecked unless you want another tool bar, It is a very safe program and it is free.(CCleaner Quick Setup: Go to > Options > Advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware. files!)

[hide]

http://www.ccleaner.com/

[/hide]

_____________________________________________________________

‡‡Now make sure no files are hidden. To do this:
For XP go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
For Vista go to the Control Panel->Appearance and Personalization
Under the Folder Options, click Show Hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
You may change the above options back after your log is clean.

‡‡Turn off system restore.

Steps to turn off System Restore for XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Steps to turn off System Restore for Vista:
1. Control Panel -> System Maintenance -> Back Up and Restore Center
2. On the right column, click on "create a restore point or change settings" (this requires administrator's password if set)
3. Uncheck all drives.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.

‡‡Do all steps below in safe mode except for at the end when you generate a new HiJackThis log.

‡‡Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.

‡‡Please run HijackThis and click "Scan". Place checks next to the following entries if still present in the code and close all browser and other windows except for HijackThis, and click "Fix Checked".

R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)

‡‡Run your Antivirus and do a full scan remember this is all in safe mode.

‡‡Run Spybot Search and Destroy and do a full scan remember this is all in safe mode.

‡‡Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

*Click "Options..."

*Move the arrow down to "Custom CleanUp!"

*Only Check the following for now:

-Empty Recycle Bins

-Delete Cookies

-Delete Prefetch Files

-Clean up All Users

*Uncheck the following:

-Delete Newsgroup cache

-Delete Newsgroup Subscriptions

*Press the Temporary Files Tab and check.

-Scan drives for files matching

Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup or MOVE THEM out of the Temp folder before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

‡‡Install and run CWSHREDDER

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

‡‡Double-click on the AbouBuster.exe icon.

Click Begin scan. Close when completed.

It is advised that you run the AbouBuster twice in a row to make sure you get all the infections.

_____________________________________________________________

NOTE For AboutBuster: If you recieve the error"Run-time error '339': Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid".

Look here for help >

[hide]http://forum.astalavista.ms/viewtopic.php?p=268058#268058[/hide]

_____________________________________________________________

‡‡Double-click VundoFix.exe to run it(Do this a few times until nothing shows up).

‡‡Then install CCleaner but note it installs the Yahoo Toolbar as an option which IS check marked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option.

Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours

Then select the items you wish to clean up.

In the Windows Tab:

* Clean all entries in the "Internet Explorer" section except Cookies.

* Clean all the entries in the "Windows Explorer" section.

* Clean all entries in the "System" section.

* Clean all entries in the "Advanced" section.

* Clean any others that you choose.

In the Applications Tab:

* Clean all except cookies in the Firefox/Mozilla section if you use it.

* Clean all in the Opera section if you use it.

* Clean Sun Java in the Internet Section.

* Clean any others that you choose.

Click the "Run Cleaner" button.

A pop-up box will appear advising this process will permanently delete files from your system.

Click "OK" and it will scan and clean your system.

Click the "Issues" button.

Click the "Scan For Issues" button.

Click the "Fix Selected Issues" button.

Click the "Fix All Selected Issues" button.

Click "OK"

Click "Close" when done.

‡‡Reboot into Normal Mode. Turn System Restore back on and create a restore point.

Steps to turn on System Restore For XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.

After a few moments, the System Properties dialog box closes.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

To create a Restore point for Vista:
1.Control Panel – System Maintenance – Back Up and Restore Center. On the right column, click on "Create A Restore Point Or Change Settings" (This requires Administrator's password if set.) Put a check on the drive your OS is on. Then click on the Create button. Type in a name and then click OK.

‡‡Do another scan with HiJackThis in normal windows mode and post your new log file here for final verification. Make sure it is a new log file.

Also let us know how the systems overall condition is now.

crunchie 990 Most Valuable Poster

16 Years Ago

O2 - BHO: (no name) - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)

Comodore commented: Thanks, I feel more confident about the state of my computer now. :) +1

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Thanks, I feel more confident about the state of my computer now. :)

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 1 · 2008-01-05T16:39:43+00:00

‡‡Please download Spybot Search and Destroy install it and update the program.

He already has it.

‡‡Please download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it. Wait on installation and running.
[hide]
http://www.atribune.org/ccount/click.php?id=4
[/hide]

I see no sign of a Vundo infection there.

‡‡Please download following program CWSHREDDER. Wait on installation and running.
[hide]
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
[/hide]

I see no sign of a coolwebsearch infection either.

‡‡Download about:Buster and save it to your desktop. When it has finished downloading, unzip the folder to your desktop as well. You should now be left with an aboutbuster folder on your desktop.Wait on installation and running.
[hide]
http://www.malwarebytes.org/AboutBuster.zip
[/hide]

I don't see an about:blank infection either.

‡‡Turn off system restore.

imo it is better to have a bad restore point than none at all if things go wrong.

I see two pretty clean logs there with only a couple of orphaned entries that need fixing.

Comodore 27 Junior Poster · Answer 2 · 2008-01-06T01:02:57+00:00

Thanks for all your help, guys.

As for the "Tutting" from crunchie, I got AVG as an *on demand* scanner, temporarily. Geez, I said it *might* work. :p (The article I referenced in that post said that was a fine practice. Its active protection you need to worry about.)

So far, I like Avira better. Seems to be more thorough, but it takes over 10 hours to run a full scan? (Maybe that was just because I was also running Spy Sweeper and A-squared free at the same time...)

Locksmith, thanks for the long list of fixes- I'll keep this thread bookmarked for future reference!

And thank you again, crunchie, for easing my workload and giving me the second opinion I wanted to hear. :)

So, to take care of those orphaned entries, would I use CCleaner to clean the registry, or is there something further I should do?

And I think I'll run another battery of scans (minus AVG, of course :p ) in safe mode overnight tonight.

Thanks again, guys!

--The Comodore

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2008-01-06T05:37:56+00:00

Thanks for all your help, guys.
As for the "Tutting" from crunchie, I got AVG as an *on demand* scanner, temporarily. Geez, I said it *might* work. :p (The article I referenced in that post said that was a fine practice. Its active protection you need to worry about.)

But they are both running in your processes and from the 'Run' keys :).

So, to take care of those orphaned entries, would I use CCleaner to clean the registry, or is there something further I should do?

Use hijackthis.

Comodore 27 Junior Poster · Answer 4 · 2008-01-06T08:19:40+00:00

Alright. Which ones do you recognize as orphaned?

Thanks,

--The Comodore

Comodore 27 Junior Poster · Answer 5 · 2008-01-06T09:58:56+00:00

O2 - BHO: (no name) - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)

Good thinking :p

Thanks, I'm marking as solved!

All the best,

--The Comodore

gerbil 216 Industrious Poster · Answer 6 · 2008-01-06T19:36:17+00:00

Hiya, Comodore....
AVs... I don't know too much about how AV services work, but I do know that if you have an active AV service installed and started then it works in the background full time. In fulfilling that role they scan any process which starts and any files that are opened. Then of course they also have an on-demand function - with that you can scan all or sections of your puter so even if files, executables etc are not being used they can be checked.
But the point of this is that if a further active AV service's processes are running [in the background], its files are being used etc, so they will be checked by the first service, and vice versa. So even if you are not using one active AV to run a demand scan it is still active. And conflicting. Active/resident AVs integrate themselves very deeply into your OS whereas an online scanner does not; you can use the latter as on-demand scanners.
Hope this helps...

Computer was infected- Need a second set of eyes?

Recommended Answers Collapse Answers

All 9 Replies

Recommended Answers