How to remove FraudTool.Win32.Spywarebot etc from Restore folder

Discussion in 'Windows - Virus and spyware problems' started by pgran, Jul 6, 2008.

  1. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Hello everyone,

    Have spent most of today trying to clean up my PC (XP SP2) running various spyware and virus scans. Found out that I had unintentionally downloaded SpywareStop thinking it was a new version of SpyBot and want to get all of associated files off of my machine. (Devious little bugger that SpywareStop--can't believe I fell for it!)

    I downloaded Spybot and then uninstalled SpywareStop. Not 100% sure, but it appears to be gone (I read somewhere that it's impossible to uninstall it). But both Kaspersky and the spyware scan built into Comcast's toolbar (which I ran as a lark to see how effective it is) are both finding some files in my Sys Restore folder that Spybot did not detect. Does anyone know how to get rid of these?

    Here's the Kaspersky report on those files:

    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP113\A0121504.rbf
    Infected: not-a-virus:FraudTool.Win32.SpywareBot.o skipped

    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0122490.rbf
    Infected: not-a-virus:FraudTool.Win32.SpywareBot.m skipped

    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125436.dll
    Infected: not-a-virus:FraudTool.Win32.SpywareStop.z skipped

    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125437.dll
    Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.ei skipped

    And here's what the Comcast scan detected:

    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125436.dll
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125436.dll

    I tried to research the FraudTool.Win32 files, but found next to nothing about them.

    Thankfully, none of the scans picked up anything else except some cookies, items in NAV Internet Security quarantine and some unnecessary garbage in System StartUp.

    I actually started all of this scanning because my system is too slow at startup. Takes a good 2 minutes before I can start running programs. Also if more than say 5 tabs are open in IE 7.0, it slows the whole system down and my machine starts whirring like a vaccuum cleaner on its last legs--and it's a reasonably new machine which should be able to handle it, esp when I'm not trying to run anything else at the same time.

    Anyway, I feel that those files are somehow related to SpywareStop, but I'm not sure. If anyone can tell me the best course of action to remove them from my Restore folder, or whether I SHOULD remove them, I would really appreciate it.

    Thanks!
     
  2. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    PS: I also dl'd SmitFraudFix from a link on this site. Should I consider it a coincidence that the minute I started the dl, Norton Internet Security detected IEDefender also trying to install itself? I'm reading on another website that SmitFraud is another name for the Zlob Trojan. It seemed that a lot of posters here recommended it, so that's why I downloaded it. Norton supposedly removed IEDefender, but now I'm concerned about whether SmitFraud is legit! I'm also thinking Spybot should have stopped this download as I tweaked IE settings there to prevent unauthorized changes to my browser.

    Anyhow, the report is below.

    SmitFraudFix v2.329

    Scan done at 20:13:57.50, Sun 07/06/2008
    Run from C:\Documents and Settings\Lucy\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\TrueAssistant\TrueAssistant.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\CSCRIPT.EXE
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lucy


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lucy\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Lucy\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix
    !!!Attention, following keys are not inevitably infected!!!

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
    DNS Server Search Order: 68.87.76.178
    DNS Server Search Order: 68.87.78.130

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.66.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.66.196
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

     
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi pgran,

    Assuming you are clean of malware, except the traces left in the System Restore, do the following to purge it.

    Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can re-infect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.



    If your Anti Virus still finds virus traces, you may need to do some deeper cleaning..

    2OG
     
  4. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Hi 2OldGeek,

    Thanks--I was going to do that, but wanted someone else to look at the scan logs and make sure it was the right thing. Did you happen to notice anything unusual in the SmitFraudFix scan? I'm not sure how to read it.

    I re-ran a Norton full scan as well as SpyBot full scan last night. Neither found anything. I could re-do the Kapersky scan, but the scan log above took 2 hours to complete and those were the only suspicious files found yesterday afternoon. Think I'm safe to go for it, or should I dl and try some other programs first?
     
  5. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hey pgran,

    I see nothing in your SmidFraud Log that would be detrimental.

    Sounds like you got it but, if you are still leery, just post a HJT log and I will look it over..

    2OG
     
  6. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Will do, 2OG and will post as soon as I have a chance. Thanks much for the great assistance! If it weren't for user forums, even us Geeks In Training would be lost.
     
  7. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    2OG: HijackThis log is below. I don't think it found anything.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:55:54, on 7/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\TrueAssistant\TrueAssistant.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149540429296
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 12990 bytes
     
  8. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hey pgran,

    You’re Clean but It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.
    I recommend and use Avira AntiVir free.


    Other than that, you’re good to go.

    2OG
     
  9. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    2OG,

    I'm running Norton Internet Security with virus protection--total system hog. What did you mean about not having a virus scanner?
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Sorry, pgran, it was 6am and I had been up all night. I was working 5 threads and got a little mixed up. I’m OLD, give me a break….. LOL

    You’re OK, do you have any problems??? If not you’re good to go..

    2OG
     
  11. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    LOL no worries! Had me nervous there for a minute. I'm going to run one last Spybot and Norton full scan (paranoia!), then I'll create a new restore point and run cleanup of the old ones.

    I was now just checking through my Norton Security settings and found that it had been set NOT to scan the system volume folder. Hmmm, wonder how THAT happened?
     
  12. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    OK, hang in there and Safe Surfing…..

    Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


    This is a great first line of defense. Check it out:

    MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

    2OG
     
  13. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Thanks for the tip, I'll check it out. I think Spybot has something similar built into the IE tweaks settings.

    Next up, I need to figure out what is slowing my machine down at startup..besides all this anti-spy, anti-malware, anti-virus stuff I have loaded!
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Yes, SB has it but not as complete and when you install MVPS, SB will merge with it and if it has any new sites they will be added to the list. MVPS updates about 1 or 2 times a month.

    I have a Host file that contains about 70,000 blocked sites and I have never got a virus/Trojan from surfing the net. If a site is Bad, you won’t be able to connect to it….

    Like I said check it out. Read the info on the site I gave you.

    I use HostXpert to manage my Host file, it’s available on the MVPS site also.

    2OG
     
  15. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Ok, I managed to manually replace the original Hosts file with the MVPS Hosts file (it wouldn't do it automatically). But I'm having trouble understanding whether or not I need to change the DNS client service setting. It's currently set to Automatic. The instructions for getting this set up aren't terribly clear.
     
  16. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    PS: If it makes any difference, I do occasionally need to upload/publish webpages, etc. If I disable the DNS client service, will that prevent me from uploading to my sites? I also use Carbonite for file backup. Below is the log of all services running if it helps. I know there are services running I don't need/use, but it's hard for me to know which ones to disable.

    Image Name PID Services
    ========================= ====== =============================================
    System 4 N/A
    SMSS.EXE 556 N/A
    CSRSS.EXE 872 N/A
    WINLOGON.EXE 896 N/A
    SERVICES.EXE 940 Eventlog, PlugPlay
    LSASS.EXE 952 PolicyAgent, ProtectedStorage, SamSs
    SVCHOST.EXE 1140 DcomLaunch, TermService
    SVCHOST.EXE 1208 RpcSs
    SVCHOST.EXE 1332 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
    dmserver, ERSvc, EventSystem,
    FastUserSwitchingCompatibility, helpsvc,
    lanmanserver, lanmanworkstation, Netman,
    Nla, RasMan, Schedule, seclogon, SENS,
    SharedAccess, ShellHWDetection, srservice,
    TapiSrv, Themes, TrkWks, w32time, winmgmt,
    wscsvc, wuauserv, WZCSVC
    SVCHOST.EXE 1496 Dnscache
    SVCHOST.EXE 1584 LmHosts, RemoteRegistry, SSDPSRV, WebClient
    ccSvcHst.exe 1660 ccEvtMgr, ccSetMgr, CLTNetCnService,
    LiveUpdate Notice
    explorer.exe 2004 N/A
    LEXBCES.EXE 656 LexBceS
    LEXPPS.EXE 684 N/A
    spoolsv.exe 728 Spooler
    AluSchedulerSvc.exe 1748 Automatic LiveUpdate Scheduler
    CarboniteService.exe 1828 CarboniteService
    MDM.EXE 1848 MDM
    NPROTECT.EXE 264 NProtectService
    NOPDB.exe 428 Speed Disk service
    sprtsvc.exe 452 sprtsvc_dellsupportcenter
    symlcsvc.exe 500 Symantec Core LC
    wdfmgr.exe 540 UMWdf
    FXSSVC.EXE 2292 Fax
    WMIPRVSE.EXE 2680 N/A
    smax4pnp.exe 3096 N/A
    ALG.EXE 3300 ALG
    DMXLauncher.exe 3320 N/A
    tfswctrl.exe 3708 N/A
    hpwuSchd2.exe 4080 N/A
    ccSvcHst.exe 4084 N/A
    hkcmd.exe 1608 N/A
    igfxpers.exe 1684 N/A
    ISUSPM.exe 1892 N/A
    realsched.exe 2340 N/A
    sprtcmd.exe 2348 N/A
    CarboniteUI.exe 2756 N/A
    GoogleDesktop.exe 2768 N/A
    GoogleToolbarNotifier.exe 2776 N/A
    TeaTimer.exe 2792 N/A
    AcroTray.exe 4060 N/A
    DLG.exe 3972 N/A
    TrueAssistant.exe 2808 N/A
    OUTLOOK.EXE 1492 N/A
    WINWORD.EXE 124 N/A
    iexplore.exe 1704 N/A
    GoogleDesktop.exe 2864 N/A
    Navw32.exe 3080 N/A
    CMD.EXE 1816 N/A
    TASKLIST.EXE 3584 N/A

    C:\Documents and Settings\Lucy>
     
    Last edited: Jul 8, 2008
  17. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    oops wrong thread

    hehe I was right the first time, just thought I was wrong. My first mistake lol
     
    Last edited: Jul 8, 2008
  18. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Perfect! Thanks again for all your help. I threw my back out on Saturday at work, so I decided to use the downtime to get my machine straightened out. The more I learn, the more I don't know anything it would seem.
     
  19. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    I have been working about 10 different threads on 3 different forums and that’s too much for an OLD Guy.. I gonna knock off some for a while, but this will be open if you have any more questions..

    2OG
     
  20. pgran

    pgran Member

    Joined:
    Jul 6, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Hi 2OG, good that you actually rest sometimes! I just got home and reset the RP and flushed the old ones before I left. Didn't have time to do any extra scanning for those files, so I ran Kapersky on the System Volume Information folder only--no nasties found. None in Comcast's Pest Patrol either, however that program is still detecting traces of Spyware stop in some of the registry (?) keys as follows:

    "hkey_current_user\software\spywarestop\settings" value "alldrives" data "0"
    "hkey_current_user\software\spywarestop\settings" value "scandeep" data "0"


    I realize it's often impossible to completely remove all traces of a program. What do you think about these two hits? None of the other scanners I have picked it up.
     

Share This Page