Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: UnderAttack on January 03, 2011, 03:55:18 AM
-
Hi,
I am hoping you will help me clean a PC given to me to fix. I have followed the steps for this forum before posting, but slightly out of order as I started trying to clean it before coming here.
The original symptoms were fake anti-virus popups. The pre-post instructions have got rid of those symptoms. I believe there is still something nasty on here, the only symptom I can currently see is detailed below related to AVG.
Initially I did not connect the machine to my network and ran a full scan with the already installed, slightly out of date, AVG which found PSU.Delf.FPM. I then connected it to the Internet, updated AVG and installed, updated and ran Malwarebytes. Malwarebytes found some nasties and AVG plucked some to it's virus vault.
The version of AVG on the system is 8.5.449, although the actual GUI looks like the latest version and it is not complaining about being out of date. When I used to use Windows I recall that AVG needed reinstalling with the next version each year, so after (thinking) I had cleaned the PC I tried to uninstall this AVG to install the latest version. When I do this I get an ugly message:
Local machine: installation failed
Initialization:
Error: Connecting to item registry root HKCU (f**kyou) failed.
Error 0x80070005
THe message wasn't starred out on the system btw. This is the only symptom I am able to see on the system at the moment and is stil present after following the full pre-post instructions.
I then started following all your pre-post instructions in order, including running Malwarebytes again, which came up clean, so I included the earlier log instead. This is a multiuser machine and SuperAntiSpyware found cookies from other places, including an old backup of the system. I deleted references to cookies out of the log files because they were so long. If this is wrong please let me know because I have the original log files still.
I also turned off the system restore so that would get deleted, I don't recall exactly at what stage I did that. Sorry this post was so verbose, I wasn't sure which information was important.
-
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5443
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
02/01/2011 18:38:46
mbam-log-2011-01-02 (18-38-46).txt
Scan type: Quick scan
Objects scanned: 192822
Time elapsed: 12 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\dll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\David\local settings\Temp\msitcm.cpl (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\David\local settings\Temp\_32.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\David\local settings\Temp\_33.tmp (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\David\local settings\Temp\libmhcklq\aialimuaffm.exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.
-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/03/2011 at 01:11 AM
Application Version : 4.47.1000
Core Rules Database Version : 6114
Trace Rules Database Version: 3926
Scan type : Complete Scan
Total Scan Time : 03:00:48
Memory items scanned : 421
Memory threats detected : 0
Registry items scanned : 6622
Registry threats detected : 0
File items scanned : 154410
File threats detected : 880
Adware.Tracking Cookie
**** Nearly 900 lines of cookies were here, removed but saved if needed ****
Trojan.Agent/Gen-Krpytik
C:\PROGRAM FILES\WINRAR\FORMATS\ACE.FMT
C:\PROGRAM FILES\WINRAR\FORMATS\ARJ.FMT
C:\PROGRAM FILES\WINRAR\FORMATS\CAB.FMT
C:\PROGRAM FILES\WINRAR\FORMATS\GZ.FMT
C:\PROGRAM FILES\WINRAR\FORMATS\LZH.FMT
C:\PROGRAM FILES\WINRAR\FORMATS\TAR.FMT
C:\PROGRAM FILES\WINRAR\FORMATS\UUE.FMT
C:\PROGRAM FILES\WINRAR\WINCON.SFX
BearShare File Sharing Client
D:\#BACKUP\C_DRIVE_27022008\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:45:29, on 03/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\sniper.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{03099802-BE23-40CC-AED5-66231B4EE118}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03099802-BE23-40CC-AED5-66231B4EE118}: NameServer = 192.168.1.254
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: cryptnet32 - cryptnet32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 4828 bytes
-
Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Please turn on your System Restore. An infected Restore Point is better than none.
You have BearShare in your backup drive. It should be removed from the backup drive as well as the C drive.
D:\#BACKUP\C_DRIVE_27022008\PROGRAM FILES\BEARSHARE
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
******************************************
This next scan will not run while AVG is on your computer. Please download a new Anti-Virus program from the list below and install it. I would recommend MicroSoft Security Essentials. Next, please remove AVG by running the AVG Removal Tool below.
Remember to only install one antivirus!
1) Avast! Home Edition (http://www.majorgeeks.com/Avast_Home_Edition_d1968.html)
2) AVG Free Edition (http://www.majorgeeks.com/download.php?det=886)
3) Avira AntiVir Personal (http://www.majorgeeks.com/AntiVir_Personal_Edition_7_d955.html)
4) Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
4-a) Microsoft Security Essentials for Windows XP (http://www.microsoft.com/security_essentials/)
5) Comodo Antivirus (http://www.majorgeeks.com/Comodo_AntiVirus_d5109.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition (http://www.majorgeeks.com/PC_Tools_AntiVirus_Free_Edition_d5469.html)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
**********************************************
AVG Antivirus - AVG Antivirus Remover utility (http://www.avg.com/download-tools)
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Hi Dave,
Thanks for your time so far. Are you by any chance the SuperDave from the diabloii.net forums?
Here is what I have done, and the requested log file follows.
I re-enabled the system restore.
I deleted the bearshare folder from the backup location (one of the tools had already removed the exe file), it is not present on the C: drive. The backup is actually a backup of an old hard disk from before a re-install.
I ran the Remove Windows Messenger tool as instructed, no problems.
I installed Avast which went fine, then ran the AVG removal tool. After a reboot and a bit more work from the AVG tool I was back at the desktop, but Avast no longer worked. Clicking the 'Fix' button in the Avast interface did nothing. As the next step was to disable AV products before running combofix anyway, I proceeded with combofix.
Afer running combofix Avast still doesn't work. Can I reinstall AVG now combofix is done?
-
ComboFix 11-01-03.01 - General 03/01/2011 23:55:24.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.479.163 [GMT 0:00]
Running from: c:\documents and settings\General\desktop\commy.exe
Command switches used :: /stepdel
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\AutoRun.ini
c:\windows\system32\arp.exe
c:\windows\system32\install.exe
c:\windows\system32\SCardSvr.exe
c:\windows\system32\shimg.dll
d:\documents\david\rdplus.net.DUN
.
((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.
2011-01-03 22:45 . 2010-12-31 20:00 293968 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-03 22:45 . 2010-12-31 19:59 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-03 22:45 . 2010-12-31 19:56 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-03 22:43 . 2010-12-31 20:06 38848 ----a-w- c:\windows\avastSS.scr
2011-01-03 22:43 . 2010-12-31 20:06 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-03 22:29 . 2010-12-31 19:56 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-03 22:27 . 2010-12-31 19:59 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-03 22:27 . 2010-12-31 19:59 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-03 22:26 . 2010-12-31 19:56 29264 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-03 22:23 . 2011-01-03 22:43 -------- d-----w- c:\program files\Alwil Software
2011-01-03 22:23 . 2011-01-03 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-01-03 10:23 . 2011-01-03 10:23 -------- d-----w- c:\documents and settings\General\Local Settings\Application Data\Help
2011-01-03 09:50 . 2011-01-03 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-03 09:50 . 2011-01-03 09:50 -------- d-----w- c:\documents and settings\General\Application Data\OnlineArmor
2011-01-03 09:50 . 2010-07-07 12:25 22600 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-01-03 09:50 . 2010-07-07 12:25 28232 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-01-03 09:50 . 2010-07-07 12:25 236104 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-01-03 09:50 . 2011-01-03 09:50 -------- d-----w- c:\program files\Emsisoft
2011-01-03 01:33 . 2011-01-03 01:33 388096 ----a-r- c:\documents and settings\General\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-03 01:33 . 2011-01-03 01:45 -------- d-----w- c:\program files\HJT
2011-01-02 22:27 . 2010-11-12 18:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-02 22:27 . 2010-11-12 18:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-01-02 22:03 . 2011-01-02 22:03 -------- d-----w- c:\documents and settings\General\Application Data\SUPERAntiSpyware.com
2011-01-02 22:03 . 2011-01-02 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-02 22:02 . 2011-01-02 22:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-02 21:48 . 2011-01-02 21:48 -------- d-----w- c:\program files\CCleaner
2011-01-02 18:43 . 2011-01-02 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-02 18:08 . 2011-01-02 18:08 -------- d-----w- c:\documents and settings\General\Application Data\Malwarebytes
2011-01-02 18:08 . 2011-01-02 18:44 -------- d-----w- c:\documents and settings\General\Application Data\VMware
2011-01-02 18:07 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 18:07 . 2011-01-02 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-02 18:07 . 2011-01-02 18:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 18:07 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 16:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 16:40 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-01-22 11:24 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 16:34 . 2008-02-27 18:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-05 05:05 . 2009-01-22 11:23 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 15:17 . 2009-01-22 11:23 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2009-01-22 11:24 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2009-01-22 11:23 1853312 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-01-10 4263936]
"nwiz"="nwiz.exe" [2003-01-10 315392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-12-31 3395600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\music\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [03/01/2011 22:45 293968]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [03/01/2011 09:50 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [03/01/2011 09:50 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [03/01/2011 09:50 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/01/2011 22:45 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [03/01/2011 09:50 1283400]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [03/01/2011 09:50 3364680]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
TCP: {03099802-BE23-40CC-AED5-66231B4EE118} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\General\Application Data\Mozilla\Firefox\Profiles\26jafrot.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -
Notify-avgrsstarter - avgrsstx.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 00:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(492)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-01-04 00:15:25
ComboFix-quarantined-files.txt 2011-01-04 00:15
Pre-Run: 1,833,848,832 bytes free
Post-Run: 3,556,343,808 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - CE11369B949B2414924CBE44388B9D19
-
Are you by any chance the SuperDave from the diabloii.net forums?
Not me!
Can I reinstall AVG now combofix is done?
I would recommend MicroSoft Security Essentials. Very good and less of a hassle.
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The
log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].
-
Hi, thanks for your continued help. I tried to reinstall AVG while Avast was still installed (but still not working), but the installer refused to run while Avast was installed. I uninstalled Avast and rebooted, but was unable to install AVG. It got to the end and came up with this message (copied from Windows event log):
Product: AVG 2011 -- Error 27046. CA_Error 27046: DriverInstallationFun: Driver installation failed: 0x00000000
I'm kind of tempted to make a decontamination PC and add the hard disk from this infected PC so I can do and offline scan of the disk. Would this help in finding rootkit type stuff?
Requested log from SysProt follows.
-
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_nvatabus.sys
Service Name: ---
Module Base: A9F58000
Module End: A9F6C000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79B5000
Module End: F79B7000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: B24D5ED0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwAssignProcessToJobObject
Address: B24D6700
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwConnectPort
Address: B24D3DA0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwCreateFile
Address: B24E39C0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwCreatePort
Address: B24D38E0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwCreateProcess
Address: B24D0620
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwCreateProcessEx
Address: B24D0A30
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwCreateSection
Address: B24CFEF0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwCreateThread
Address: B24D1F20
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwDebugActiveProcess
Address: B24D2B90
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwDuplicateObject
Address: B24D36F0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwLoadDriver
Address: B24D5490
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwOpenFile
Address: B24E4040
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwOpenProcess
Address: B24D1A20
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwOpenSection
Address: B24D0310
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwOpenThread
Address: B24D2420
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwProtectVirtualMemory
Address: B24D6350
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwQueryDirectoryFile
Address: B24D5A70
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwQueueApcThread
Address: B24D68A0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwRequestPort
Address: B24D49A0
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwRequestWaitReplyPort
Address: B24D4F90
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwRestoreKey
Address: B24E3550
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwResumeThread
Address: B24D3340
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwSecureConnectPort
Address: B24D4190
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwSetContextThread
Address: B24D2970
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwSetSystemInformation
Address: B24D2D30
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwShutdownSystem
Address: B24D5370
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwSuspendProcess
Address: B24D3520
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwSuspendThread
Address: B24D3130
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwSystemDebugControl
Address: B24D2F40
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwTerminateProcess
Address: B24D1C80
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwTerminateThread
Address: B24D2760
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwUnloadDriver
Address: B24D5780
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
Function Name: ZwWriteVirtualMemory
Address: B24D6520
Driver Base: B24B7000
Driver End: B2505000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
-
I'm kind of tempted to make a decontamination PC and add the hard disk from this infected PC so I can do and offline scan of the disk. Would this help in finding rootkit type stuff?
No. There's no need to do that. I'm not finding anything in these logs.
tried to reinstall AVG while Avast was still installed (but still not working), but the installer refused to run while Avast was installed. I uninstalled Avast and rebooted, but was unable to install AVG. It got to the end and came up with this message (copied from Windows event log):
Please download and install MicroSoft Security Essentials and then run these tools to get rid of AVG and Avast.
AVG Antivirus - AVG Antivirus Remover utility (http://www.avg.com/download-tools)
Avira antivirus - Instructions for manual uninstallation of Avira (http://www.avira.com/en/support/kbdetails.php?id=135)
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Hi,
Sorry for the long delay in my reply, I've been ill. Unfortunately I messed up when following your instructions and I didn't save the log from ESET. I ran it again to see if that would help but there was no save log option.
When it ran the first time it did find 1 threat, which it called:
Win32/Toolbar.AskSBar
I looked in the quarantine and this was the path to the file:
D:\iso\Nero-6.6.1.1c_wch.exe
Thanks
-
I hope you're feeling better. How's your computer working now? Any other issues?
-
Hi,
Thanks, I'm mostly better. Sorry for the slow update, have had to catch up on my work after being ill.
The computer seems generally ok. After it has been logged in for a few minutes it comes up with an error about jusched.exe, with the Windows error reporting window. I don't know if it was doing this before or not, but I did follow the Java clean/update instructions so hopefully it would be a fresh install.
This is a multi user system and I've been using a mostly un-used user account to do these scans. I logged in with one of the main accounts, where the problems first surfaced, and ran a malware bytes scan only, log follows. I also ran that scan on the other main user account but it was clean.
Other than that it seems to be behaving itself - thank you so much :)
-
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5499
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
10/01/2011 22:25:10
mbam-log-2011-01-10 (22-25-01).txt
Scan type: Quick scan
Objects scanned: 175546
Time elapsed: 4 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf (Trojan.FakeAlert) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nifvaksn (Trojan.FakeAlert.Gen) -> Value: nifvaksn -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
It says "no action taken". Please run it again and clean the infections. Let's do some cleanup.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
- Click the CleanUp button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
************************************************
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.
To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
This will give you a new, clean Restore Point.
**********************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
********************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Hi Dave,
I'll try your instruction...viruses keep me annoying...hopes it will work and Thanks for advance...
These instructions were created for this user and may do more harm to your computer than good. If you're having problems, start your own thread and you will get help.
-
Thank you so much Dave for all your time, effort and expertise. You are an absolute star :)
-
You're welcome. I will lock this thread. If the original poster needs it re-opened, please pm me.