Hi, I have been asked to help out on a friend's computer which is running very slowly indeed (almost to a standstill!) and suffering from intermittent, random pop ups. I have been through with an anti virus program and 4 viruses were discovered. Having enjoyed a great response from users here when posting before, and having limited expertise myself, I wonder if anyone could offer any advice on what action needs taking based on the following hijackthis log? Any further suggestions as to what steps I could take would also be much appreciated! Logfile of HijackThis v1.99.1 Scan saved at 10:37:59, on 18/08/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ahmxpwst.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TridiaVNC\win32\WinVNC.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Network Associates\VirusScan\mcconsol.exe C:\Program Files\Network Associates\VirusScan\SCNCFG32.EXE C:\Program Files\Network Associates\VirusScan\scan32.exe C:\Documents and Settings\broker\My Documents\My Internet\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Misys Financial Systems Ltd. O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing) O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TridiaVNC\win32\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [gtcfaxaz.exe] C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\cqimrrhh.dll",forkonce O4 - HKLM\..\Run: [ovbsnkq] c:\windows\system32\ovbsnkq.exe ovbsnkq O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O14 - IERESET.INF: START_PAGE_URL=about:blank O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{57AD14CC-EFE1-43BF-9BFF-B3A02CCA963D}: NameServer = 192.168.100.244 O23 - Service: DomainService - - C:\WINDOWS\System32\ahmxpwst.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TridiaVNC Server (winvnc) - Unknown owner - C:\Program Files\TridiaVNC\win32\WinVNC.exe" -service (file missing) Many thanks!
Hi CovMan Rename HijackThis.exe 1. Right click on the HijackThis icon. 2. Select Rename. 3. Now type the following scanner.exe <<< NOTE: make sure to put period before exe when typing. Hit the enter key on keyboard. Double click on Scanner.exe. Click on Do a system scan and save a logfile. Post log in next reply.
Hi, Thanks for the reply - I won't be able to get back to my friend's computer till tomorrow at the earliest, but as soon as I do then I will post the log here. Thanks for the advice so far!
I have finally managed to access the computer and have renamed as requested! Viruses keep popping up and the cpu usage is constantly at 100%! Any advice much appreciated! Logfile of HijackThis v1.99.1 Scan saved at 10:05:32, on 01/09/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ahmxpwst.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\TridiaVNC\win32\WinVNC.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\taskmgr.exe C:\Documents and Settings\broker\My Documents\My Internet\hijackthis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Misys Financial Systems Ltd. O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: H - {0A145003-CCA1-48e2-BADF-18331C76FC5F} - aswwer.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\System32\pmnmjig.dll O2 - BHO: (no name) - {AADAF4A7-5368-49E8-9126-08C62C586741} - C:\WINDOWS\System32\mllji.dll O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\lyfusncr.dll O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing) O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TridiaVNC\win32\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [gtcfaxaz.exe] C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe O4 - HKLM\..\Run: [ovbsnkq] c:\windows\system32\ovbsnkq.exe ovbsnkq O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\upjlmvvy.dll",realset O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O14 - IERESET.INF: START_PAGE_URL=about:blank O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{57AD14CC-EFE1-43BF-9BFF-B3A02CCA963D}: NameServer = 192.168.100.244 O20 - Winlogon Notify: fccabcy - fccabcy.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: mllji - C:\WINDOWS\System32\mllji.dll O20 - Winlogon Notify: pmnmjig - C:\WINDOWS\SYSTEM32\pmnmjig.dll O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing) O23 - Service: DomainService - - C:\WINDOWS\System32\ahmxpwst.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TridiaVNC Server (winvnc) - Unknown owner - C:\Program Files\TridiaVNC\win32\WinVNC.exe" -service (file missing)
Hi Download ComboFix from Here or Here to your Desktop. * Double click combofix.exe and follow the prompts. * When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall post: C:\combofix.txt Fresh HiJackThis log
Hi, Thanks for the advice - I ran the combofix - which did take a while, probably because of the state of the computer! But upon rebooting, everything seems to be running much, much faster! That said, there might be some more nasties lurking somewhere so both Hijackthis and combofix logs are posted below. Hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 10:53:39, on 03/09/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TridiaVNC\win32\WinVNC.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\broker\My Documents\My Internet\hijackthis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: H - {0A145003-CCA1-48e2-BADF-18331C76FC5F} - aswwer.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnmjig.dll O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing) O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TridiaVNC\win32\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [gtcfaxaz.exe] C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=about:blank O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{57AD14CC-EFE1-43BF-9BFF-B3A02CCA963D}: NameServer = 192.168.100.244 O20 - Winlogon Notify: fccabcy - fccabcy.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: pmnmjig - C:\WINDOWS\SYSTEM32\pmnmjig.dll O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing) Combofix Log: ComboFix 07-08-30.3 - "broker" 2007-09-03 10:06:01.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.86 [GMT 1:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\Program Files\Ultimate Fixer C:\WINDOWS\cookies.ini C:\WINDOWS\system32\1_exception.nls C:\WINDOWS\system32\ahmxpwst.exe C:\WINDOWS\system32\bmopbehj.dll C:\WINDOWS\system32\bvrwseqh.exe C:\WINDOWS\system32\ccptobux.ini C:\WINDOWS\system32\cmrsuvik.exe C:\WINDOWS\system32\cookie.dat C:\WINDOWS\system32\dgxsifpy.dll C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\eavauukh.dll C:\WINDOWS\system32\fpjoeeqt.dll C:\WINDOWS\system32\gebabcd.dll C:\WINDOWS\system32\hvysepan.ini C:\WINDOWS\system32\ibukwdll.exe C:\WINDOWS\system32\ijllm.bak1 C:\WINDOWS\system32\ijllm.bak2 C:\WINDOWS\system32\ijllm.ini C:\WINDOWS\system32\jhebpomb.ini C:\WINDOWS\system32\kgwftcmp.dll C:\WINDOWS\system32\krqbcnvc.dll C:\WINDOWS\system32\lmwflgom.ini C:\WINDOWS\system32\lyfusncr.dll C:\WINDOWS\system32\mllji.dll C:\WINDOWS\system32\moglfwml.dll C:\WINDOWS\system32\napesyvh.dll C:\WINDOWS\system32\nvs2.inf C:\WINDOWS\system32\obrwsiio.exe C:\WINDOWS\system32\ojyeudsa.dll C:\WINDOWS\system32\ovbsnkq.dat C:\WINDOWS\system32\ovbsnkq.exe C:\WINDOWS\system32\pmctfwgk.ini C:\WINDOWS\system32\qbmootgx.dll C:\WINDOWS\system32\qvemqkhu.dll C:\WINDOWS\system32\scchk32.exe.bak C:\WINDOWS\system32\tcyxtpot.dll C:\WINDOWS\system32\tkelebpn.exe C:\WINDOWS\system32\toptxyct.ini C:\WINDOWS\system32\tqeeojpf.ini C:\WINDOWS\system32\tslctlsm.exe C:\WINDOWS\system32\wbgvbhxh.dll C:\WINDOWS\system32\wnsediqn.dll C:\WINDOWS\system32\xbfboied.exe C:\WINDOWS\system32\xbxxaukr.dll C:\WINDOWS\system32\xgtoombq.ini C:\WINDOWS\system32\xubotpcc.dll C:\WINDOWS\system32\ypfisxgd.ini ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\DomainService -------\runtime ((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 ))))))))))))))))))))))))))))))) 2007-09-03 09:54 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-28 09:23 94,208 --a------ C:\WINDOWS\system32\MailSpectre.exe 2007-08-28 09:23 18,176 --a------ C:\WINDOWS\system32\drivers\smtpdrv.sys 2007-08-16 14:25 <DIR> d-------- C:\Program Files\Steganos Trace Destructor 4 2007-08-16 09:28 287,766 --a------ C:\WINDOWS\system32\pmnmjig.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-24 14:40 --------- d-------- C:\DOCUME~1\broker\APPLIC~1\AdobeUM 2007-08-01 13:39 48128 --a------ C:\WINDOWS\system32\aswwer.dll 2007-07-23 10:59 --------- d-------- C:\Program Files\YukonGold 2007-07-20 09:04 27136 --a------ C:\WINDOWS\shwol.dll 2007-07-16 12:50 --------- d-------- C:\Program Files\Google 2007-07-16 12:50 --------- d-------- C:\DOCUME~1\broker\APPLIC~1\Google 2007-07-16 12:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-07-12 09:19 --------- d-------- C:\Program Files\BD_CoverNote 2007-06-12 11:58 57344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gtcfaxaz.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A145003-CCA1-48e2-BADF-18331C76FC5F}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}] 2007-08-16 09:28 287766 --a------ C:\WINDOWS\system32\pmnmjig.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "POINTER"="point32.exe" [] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 16:05] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-03-20 14:13] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24] "WinVNC"="C:\Program Files\TridiaVNC\win32\WinVNC.exe" [2001-12-12 09:54] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-07 14:48] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-27 11:26] "gtcfaxaz.exe"="C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe" [2007-06-12 11:58] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 16:08] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 14:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\pmnmjig.dll [2007-08-16 09:28 287766] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccabcy] fccabcy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmjig] pmnmjig.dll 2007-08-16 09:28 287766 C:\WINDOWS\system32\pmnmjig.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjjq32] winjjq32.dll R1 smtpdrv;smtpdrv;C:\WINDOWS\System32\DRIVERS\smtpdrv.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-03 10:50:20 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-03 10:51:52 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-03 10:51 --- E O F ---
Hi Please Click Start > Control Panel > Add/Remove Programs Remove this, if present: Zango Programs Open HiJackThis clic "do a system scan only" checkmark these if present: O2 - BHO: H - {0A145003-CCA1-48e2-BADF-18331C76FC5F} - aswwer.dll (file missing) O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnmjig.dll O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing) O4 - HKLM\..\Run: [gtcfaxaz.exe] C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe O20 - Winlogon Notify: fccabcy - fccabcy.dll (file missing) O20 - Winlogon Notify: pmnmjig - C:\WINDOWS\SYSTEM32\pmnmjig.dll O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing) clic "fix checked" Please Open notepad and copy/paste the text in the quotebox below into it: Save this as CFScript.txt Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. After reboot (in case it asks to reboot), Please download ATF Cleaner by Atribune. * Double-click ATF-Cleaner.exe to run the program. * Under Main choose: Select All * Click the Empty Selected button. If you use Firefox browser * Click Firefox at the top and choose: Select All * Click the Empty Selected button. * NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser * Click Opera at the top and choose: Select All * Click the Empty Selected button. * NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first. Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder. * Install AVG Anti-Spyware by double clicking the installer. * Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked. * On the main screen under Your Computer's security. * Click on Change state next to Resident shield. It should now change to inactive. * Click on Change state next to Automatic updates. It should now change to inactive. * Next to Last Update, click on Update now. (You will need an active internet connection to perform this) * Wait until you see the Update succesfull message. * Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows. * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. AVG Anti-Spyware manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Reboot your computer in Safe Mode. * If the computer is running, shut down Windows, and then turn off the power. * Wait 30 seconds, and then turn the computer on. * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. * Ensure that the Safe Mode option is selected. * Press Enter. The computer then begins to start in Safe mode. * Login on your usual account. Once in Safe Mode: Now we need to do a search. Start > Search > For Files and Folders Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders. Paste this into the Search for files and folders named box: fccabcy.dll winjjq32.dll If any of these files are found please delete them. Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan. * Click on Scanner on the toolbar. * Click on the Settings tab. * Under How to act? * Click on Recommended Action and choose Quarantine from the popup menu. * Under How to scan? * All checkboxes should be ticked. * Under Possibly unwanted software: * All checkboxes should be ticked. * Under Reports: * Select Automatically generate report after every scan and uncheck Only if threats were found. * Under What to scan? * Select Scan every file. * Click on the Scan tab. * Click on Complete System Scan to start the scan process. * Let the program scan the machine. * When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. * Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) *At the bottom of the window click on the Apply all Actions button. (3) * When done, click the Save Scan Report button. (4) *Click the Save Report as button. * Save the report to your Desktop. * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Reboot back into Normal Mode Post: C:\combofix.txt AVG Anti-Spyware log Fresh HiJackThis log
Hi, Thanks again for such a detailed guide, I hope I followed the steps correctly! Below are the combofix log, as taken at the CFScript stage and a fresh hijackthis log. For some reason I was unable to save the report (the box turned grey) so I have typed details of the items found. ComboFix 07-09-13.3 - "broker" 2007-09-14 9:23:40.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT 1:00] Command switches used :: C:\Documents and Settings\broker\My Documents\My Internet\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\MailSpectre.exe C:\WINDOWS\system32\drivers\smtpdrv.sys C:\WINDOWS\system32\pmnmjig.dll C:\WINDOWS\system32\aswwer.dll C:\WINDOWS\shwol.dll C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe C:\WINDOWS\shwol.dll C:\WINDOWS\system32\aswwer.dll C:\WINDOWS\system32\cbadd.bak1 C:\WINDOWS\system32\cbadd.bak2 C:\WINDOWS\system32\cbadd.ini C:\WINDOWS\system32\commands.xml C:\WINDOWS\system32\ddabc.dll C:\WINDOWS\system32\drivers\smtpdrv.sys C:\WINDOWS\system32\help.txt C:\WINDOWS\system32\MailSpectre.exe C:\WINDOWS\system32\pmnmjig.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_SMTPDRV -------\smtpdrv ((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 ))))))))))))))))))))))))))))))) . 2007-09-03 09:54 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-16 14:25 <DIR> d-------- C:\Program Files\Steganos Trace Destructor 4 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-08-24 14:40 --------- d-------- C:\DOCUME~1\broker\APPLIC~1\AdobeUM 2007-07-23 10:59 --------- d-------- C:\Program Files\YukonGold 2007-07-16 12:50 --------- d-------- C:\Program Files\Google 2007-07-16 12:50 --------- d-------- C:\DOCUME~1\broker\APPLIC~1\Google 2007-07-16 12:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google . ((((((((((((((((((((((((((((( snapshot_2007-09-03_105119.79 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 262,144 2007-09-14 08:20:40 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT ----a-w 16,384 2007-09-14 08:09:24 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-09-14 08:09:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ----a-w 32,768 2007-09-14 08:09:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ----a-w 262,144 2007-09-03 08:59:34 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT ----a-w 16,384 2007-09-03 08:43:47 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-09-03 08:43:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ----a-w 32,768 2007-09-03 08:43:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "POINTER"="point32.exe" [] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 16:05] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-03-20 14:13] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24] "WinVNC"="C:\Program Files\TridiaVNC\win32\WinVNC.exe" [2001-12-12 09:54] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-07 14:48] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-27 11:26] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 16:08] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 14:00] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56] . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-14 09:41:22 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-14 9:42:38 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-14 09:42 C:\ComboFix2.txt ... 2007-09-03 10:51 . --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 10:48:04, on 14/09/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TridiaVNC\win32\WinVNC.exe C:\Documents and Settings\broker\My Documents\My Internet\hijackthis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TridiaVNC\win32\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=about:blank O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{57AD14CC-EFE1-43BF-9BFF-B3A02CCA963D}: NameServer = 192.168.100.244 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TridiaVNC Server (winvnc) - Unknown owner - C:\Program Files\TridiaVNC\win32\WinVNC.exe" -service (file missing) And the AVG Results: rootkit.agent.ey done high worm.agent.l done high worm.agent.q done high downloader.tiny.id done high downloader.agent.ad done high trojan.dialer.qn done high adware.generic error while quara... medium adware.180Solutions. done medium trackingcookie.Netflame done medium adware.ultimatedefender done medium Thank you in advance - much appreciated!
Hi, looks good, how is the PC behaving? Update Your Windows XP You should update your Windows XP to SP2, NOW. This fixes a large number of security holes in your system. It is a very large download, and is not feasible with Dial-Up. If you are on Dial-up, order the CD from the site below. * You can download SP2 from here: http://www.softwarepatch.com/windows/index.html * If there is a problem with getting the SP2 to take after it's downloaded, see here : http://www.microsoft.com/windowsxp/using/security/expert/atkin_04nov23.mspx * You can order an update Service Pack 2 CD from MicroSoft here : http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx For updating with Firefox: http://www.microsoft.com/downloads/...70-D51C-4BE5-A15B-74430E9E2AD4&displaylang=en It is absolutely vital that you get this done, or you will have trouble often. After it's installed, set Automatic updates. -------------------------------------------------- Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: * Disable and Enable System Restore.- If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here: Managing Windows Millenium System Restore or Windows XP System Restore Guide * Make your Internet Explorer more secure - This can be done by following these simple instructions: * From within Internet Explorer click on the Tools menu and then click on Options. * Click once on the Security tab * Click once on the Internet icon so it becomes highlighted. * Click once on the Custom Level button. * Change the Download signed ActiveX controls to Prompt * Change the Download unsigned ActiveX controls to Disable * Change the Initialize and script ActiveX controls not marked as safe to Disable * Change the Installation of desktop items to Prompt * Change the Launching programs and files in an IFRAME to Prompt * Change the Navigate sub-frames across different domains to Prompt * When all these settings have been made, click on the OK button. * If it prompts you as to whether or not you want to save the settings, press the Yes button. * Next press the Apply button and then the OK to exit the Internet Properties page. * Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Instructions for - Spybot S & D and Ad-aware Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will enhance your safety IE/Spyad<= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file<= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar<= Get the free google toolbar to help stop pop up windows. Winpatrol<= Download and install the free version of Winpatrol. a tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference! The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. Also, please read this great article by Tony Klein So How Did I Get Infected In First Place Happy surfing and stay clean!
Hi, The pc seems to be running pretty well - a world away from what it was at the start of this process so many thanks indeed! Mcafee Virus scan still appears to be picking up the occasional problem but these may be a new thing! I think I found the AVG log, just to round things off!? --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 10:45:31 14/09/2007 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined). HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup (quarantined). HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined). HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning. HKU\S-1-5-21-551710302-3098130978-3819589280-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP598\A0033204.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP598\A0033206.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP598\A0033207.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP581\A0016395.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP582\A0016438.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP582\A0016476.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP585\A0023676.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP585\A0024688.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP585\A0025696.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP585\A0026714.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP585\A0027730.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined). C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir -> Rootkit.Agent.ey : Cleaned with backup (quarantined). C:\Documents and Settings\broker\Cookies\broker@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned. C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP598\A0033209.dll -> Trojan.Dialer.qn : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP598\A0033096.sys -> Worm.Agent.l : Cleaned with backup (quarantined). C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\smtpdrv.sys.vir -> Worm.Agent.l : Cleaned with backup (quarantined). C:\System Volume Information\_restore{83FAFBAF-D428-4DFA-8871-2F29084E1859}\RP598\A0033095.exe -> Worm.Agent.q : Cleaned with backup (quarantined). C:\qoobox\Quarantine\C\WINDOWS\system32\MailSpectre.exe.vir -> Worm.Agent.q : Cleaned with backup (quarantined). ::Report end
