definately got a problem :(

jiminwatford · #1 (**permalink**) 09-05-2008, 10:30 AM

hi, we appear to have contracted a virus. a program called Antispyware Master is all over our PC. We have been running Windows firewall, Spybot Search & Destroy and Clamwin free anti virus.

here is the Hijack this Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:32, on 09/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\windows\system32\jjwnw64o.exe
C:\Program Files\AntiSpywareMaster\asm.exe
C:\WINDOWS\R2VvZmY\command.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\DOBE~1\nslookup.exe
C:\Program Files\a?sembly\n?tdde.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\pcntkkdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [{88-89-95-55-DW}] C:\windows\system32\jjwnw64o.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pcntkkdm.exe DWram
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [505889fa] rundll32.exe "C:\WINDOWS\system32\ajjyvwti.dll",b
O4 - HKLM\..\Run: [{b1e8c10f-179e-c82b-5ac2-2c4423e77794}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{0f46d3fa-75d4-ca85-f06a-24df90ae54a5}.dll" DllInit
O4 - HKLM\..\Run: [BM536bba66] Rundll32.exe "C:\WINDOWS\system32\qcjmpsdo.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ridl] "C:\PROGRA~1\DOBE~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Iqwzlal] "C:\Program Files\a?sembly\n?tdde.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntkkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jjwnw64o.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R2VvZmY\command.exe

--
End of file - 5151 bytes

i followed the instruction to 'Save List' but the program closed and i don't know what to do after that.

thanks for any help

James

VopThis · #2 (**permalink**) 09-05-2008, 01:20 PM

Just so you know - you likely have acquired a backdoor/often password stealing capable Trojan that COULD create serious compromises and concerns (passwords, banking, identity theft, etc.).

PLEASE CONSIDER THE FOLLOWING ISSUES CAREFULLY: Your system has likely been compromised to a point where even cleaning it does not promise you a trustworthy machine. There is a lot of serious concern about the SDBOT infection family which your PC has presently encountered and its known updateable/installable capabilities whether currently in use or not - SEE:
(20K hits for inclusive search terms SDBOT, banking, password, and keylogger).

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

If you do online banking or have passwords that would be a serious concern in the hands of others (identity theft or compromise of confidential information), then more serious action is likely advisable and potentially warranted (contacting and alerting bank(s), backup user files, do a clean re-install, and change all user passwords while off-line). More often than not they want your PC as a compromised zombie (a botnet/spambot member to do evil deeds) – but who is to know.

Nevertheless, initial and further cleaning may still be warranted to give you some renewed degree of control and then time to more fully consider your options. Let us know how you wish to proceed.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Please also provide any new current observations.

jiminwatford · #3 (**permalink**) 09-05-2008, 01:31 PM

Thanks, i will try this when i get home.

So far i haven't used it with ay important passwords, i will consider further action if this cleanup gets it back online to start with

thanks
james

jiminwatford · #4 (**permalink**) 10-05-2008, 11:16 AM

hi it's justthis minute finished. here is the report

SDFix: Version 1.181
Run by Geoff on 10/05/2008 at 10:41

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Geoff\Desktop\SDFix\SDFix

Checking Services :

Name :
cmdService

Path :
C:\WINDOWS\R2VvZmY\command.exe

cmdService - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\R2VvZmY\asappsrv.dll - Deleted
C:\WINDOWS\R2VvZmY\command.exe - Deleted
C:\WINDOWS\R2VvZmY\lZpStAs.vbs - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster. lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk - Deleted
C:\Documents and Settings\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk - Deleted
C:\Documents and Settings\Geoff\Desktop\AntiSpywareMaster.lnk - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\maxsv15\rLCubd.log - Deleted
C:\WINDOWS\system32\bkEur01\bkEur011065.exe - Deleted
C:\Program Files\AntiSpywareMaster\asm.exe - Deleted
C:\Documents and Settings\Geoff\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Geoff\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\DOCUME~1\Geoff\LOCALS~1\Temp\snapsnet.exe - Deleted
C:\DOCUME~1\Geoff\LOCALS~1\Temp\yazzsnet.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted

Folder C:\Documents and Settings\All Users\Start Menu\Programs\SecurePCCleaner - Removed
Folder C:\Program Files\AntiSpywareMaster - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\maxsv15 - Removed
Folder C:\WINDOWS\system32\bkEur01 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 10:58:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\DOCUME~1\Geoff\Desktop\SDFix\SDFix\backups\back ups.zip

Files with Hidden Attributes :

Fri 11 Apr 2008 230,400 ..SHR --- "C:\Program Files\a?sembly\n?tdde.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 8 May 2008 68,608 ..SHR --- "C:\Program Files\?dobe\nslookup.exe"
Tue 6 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67d da0ffd4dea8c0d990dc65796\BIT1.tmp"

Finished!

and a new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:42, on 10/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\DOBE~1\nslookup.exe
C:\Program Files\a?sembly\n?tdde.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [{88-89-95-55-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [{b1e8c10f-179e-c82b-5ac2-2c4423e77794}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{0f46d3fa-75d4-ca85-f06a-24df90ae54a5}.dll" DllInit
O4 - HKLM\..\Run: [505889fa] rundll32.exe "C:\WINDOWS\system32\uupdgret.dll",b
O4 - HKLM\..\Run: [BM536bba66] Rundll32.exe "C:\WINDOWS\system32\edesscgg.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ridl] "C:\PROGRA~1\DOBE~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Iqwzlal] "C:\Program Files\a?sembly\n?tdde.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

--
End of file - 4504 bytes

initial look is that things are not much better. it is still getting 'dodgy' popups and windows advertsing phoney 'cleanup' services.

VopThis · #5 (**permalink**) 10-05-2008, 01:37 PM

Please advise if you have used 'MSCONFIG' to disable certain applications (if you know what this is)?

Please disable the ‘active protection’ components of the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.

Disable Spybot S&D (Teatimer)

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

When disabled, please download ResetTeaTimer.bat
Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer. This is done so it can be re-enabled without problems after cleaning.

Download deldomains:
http://www.mvps.org/winhelp2002/DelDomains.inf
When you click on the link, select Save. Save it to your desktop. Once on the desktop: It appears as an icon that looks like a notebook tablet with a gear overlaid on it.

To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Note: Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset:
Examples: (if these are being used),

Spybot's "Immunize" feature is affected, you will need to re-immunize
SpywareBlaster's "Enable all protection" feature will have to be re-enabled
IE-SPYADS will have to be reinstalled

Download ComboFix from one of the following links below:

Here or Here to your Desktop.

**Note: If you already have Combofix, delete previous copy(s) and download the latest version. It is important that it is saved directly to your desktop**

Combofix will disconnect your machine from the Internet and restore connections before it completes its run. If Combofix terminates prematurely and breaks the Internet connections, they can be restored manually by rebooting the machine. Note: If you have an "always on" connection (DSL/cable), unplug the cable from the modem before running Combofix. Do not reconnect before Combofix has finished its scan.

Very Important! Temporarily disable your:
- anti-virus,
- script blocking and
- any anti-malware real-time protection
before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

ComboFix SHOULD NOT be used unless requested by a forum helper.

jiminwatford · #6 (**permalink**) 10-05-2008, 06:38 PM

hi, as it turns out my Dad got impatient and formatted the system. although i think likely i hope we won't need the above information.

thank you though for you help

thanks
james

VopThis · #7 (**permalink**) 11-05-2008, 07:30 PM

To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
- http://www.securityfocus.com/news/11273
  If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
Run your antivirus software regularly, and keep its definitions up-to-date. If you are thinking about switching (using a real-time/always on AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
Consider using other free malware scanning/removal programs:
AVG Anti-Spyware : http://free.grisoft.com/doc/20/lng/us/tpl/v5

Microsoft Windows Defender: http://www.microsoft.com/athome/secu...e/default.mspx

Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
Ad-Aware 2007: http://www.download.com/Ad-Aware-200...l?tag=pdp_prod
Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
- Comodo (64 MB RAM):
  http://www.personalfirewall.comodo.com/
- Sunbelt Personal Firewall (formerly Kerio) (10MB RAM):
  http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/
  *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
- Zone Alarm (128 MB RAM??): - no longer presently recommending this one (new ownership and business practices have created issues currently under review.)
  http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za
It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
Consider using an alternate free browser for general web surfing but you must use IE for windows updates. The use of Firefox (or similar alternate) mitigates the many types of malware that are now possible when using IE ActiveX based components. Should problems ever arise in utilizing ‘Internet Explorer’, this provides you with access to a completely different browser that may often work in such times of difficulty.
Mozilla Firefox: http://www.mozilla.org/products/firefox/
Consider increasing your browser security by using these programs:
SpywareGuard will help protect your homepage from being hijacked:
http://www.javacoolsoftware.com/spywareguard.html

SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
- If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
- IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
  http://www.spywarewarrior.com/uiuc/resource.htm

A HOSTS file can block Internet access to thousands of undesirable or known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:

Run the HiJackThis tool and select ‘Open the Misc Tools section’.
Next select ‘Open host file manager’ button.
Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.

Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

EXCERPT:

Quote:

#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
.
.
.
#end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:
Keep all of these programs up-to-date (using auto-updates where possible), and

Use them on a regular (minimum weekly) basis.

REALITY CHECK:

Who else uses your PC? What are the potential risks created by multiple (potentially loose cannon) users and why?
What about bad luck, simple mistakes, and bad browsing choices (SEE: www.siteadvisor.com and their BLOG)?

SEE: The Dangers of Popularity (for Popular SEARCH TERMS):
http://blog.siteadvisor.com/2006/08/...pularity.shtml

Quote:

The correlation of search term popularity and search term riskiness illustrates how malicious activity tends to follow and exploit consumer behavior. Users demand "free," and bad actors flock to fill corresponding search results with their deceptive offerings. All too often, users don't realize the detrimental consequences of these sites until their systems crash from spyware or their inboxes become choked with spam.

ABOVE ALL, it is most imperative that users exercise "safe surfing" habits such as banning or at least verifying email attachments (with scanning tools) before opening, and by not executing programs unless obtained from a trusted (or researched) source, etc.

In general, always research any unfamiliar links or products that you might want to access or download. In particular, the SiteAdvisor site and other REPUTABLE research-based link sources such as ‘LinkScanner PRO’ ( http://linkscanner.explabs.com/ - my current PAID favorite) have continued to make a significant difference to my clients’ PC health due to better-informed browsing habits and choices. I currently run both at the same time for search engine link assessment purposes.

Peer-to-Peer and FREE download sites add a level of risk that many should seriously take into account and adjust their behavior accordingly (significant sources of drive-by-downloads, script based infections, and annoying POPUPs).

Additionally, TEMPORARY files are both a significant source of clutter and potential hiding places for MALWARE content. Clean out those areas periodically - at least weekly. You can use a tool like CCleaner (or ATF Cleaner):

Quote:

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.
Do not run CCleaner until requested later.

Run CCleaner in SAFE MODE (reboot tapping the F8 key after the beep).

Select the ‘Options’ BUTTON option (top LEFT), ‘Advanced’ BUTTON, and then UNCHECK the ‘Only delete files in Windows Temp Folders older than 48 hours’ (because the latest download traffic could easily be the bearer of some bad content).

Select the ‘Cleaner’ BUTTON option (top LEFT), if not already selected. Use the ’Windows’ TAB up front by default.

Uncheck ‘Cookies’ option (advisable)
Optionally, Uncheck ‘Recently Typed URLs’ option (potentially still useful)
Click the ‘Analyse’ button.
Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.

Those that continue to want to use ‘Limewire’, 'BitTorrent', 'Bearshare', ‘Morpheus’ or other P2P applications, can expect to see the possibility for more serious malware issues (such as bad executables):
http://www.siteadvisor.com/sites/bearshare.com

You would be well-advised to at least consider strengthening your real-time prevention tools and use either Spy Sweeper or Spyware Doctor, or possibly run AVG Anti-Spyware for a trial period (mainly for anti-trojan defensive purposes) in real-time (paid version=realtime). No combination of tools, however, can ever be completely fail-safe for all possible issues.