13 replies to this topic

[Solaris_Wave]

System information (Toshiba laptop PC, Windows XP Home, XP firewall, Internet Explorer 7, AVG 8.5 Free Edition, ZyXEL wired router)


Unfortunately, my PC has once again been under attack from viruses, which is frustrating after receiving (excellent) support from AdvancedSetup to clean it. I got infected this time after clicking on a link at an image hosting site (no it was not pornography, unless you consider movie cars as such). Strangely and as chance would have it, I experienced very similar symptoms with the initial infection to what I suffered the first time I needed help at this site.

No image appeared on the site and instead there was a black screen, followed by a message from Adobe Reader asking if I wanted to enable JavaScript (as I had turned it off for security reasons). I hadn't clicked on a PDF link so this was unexpected. I closed the window without allowing JavaScript to be enabled and straight away afterwards, I received a message that my XP Firewall was once again disabled. For the record, I hadn't got round to installing Online Armor Free, that AdvancedSetup recommended, as I was planning to buy new Firewall software in the next few days.

I quickly re-enabled it, closed Internet Explorer and then ran CCleaner to delete all temporary files. I then examined the Temp folder in the Local Settings folder and found that two files had survived. Once again I saw a familiar file from last time, called Serr.tmp, along with another .tmp file with an unrecognisable name. Soon afterwards, more .tmp files started to appear in the Temp folder and the number continued to grow. They had various names, some longer than others. Through a state of panic and dread, I started manually trying to delete them but several were protected (I could kill a few of them though). I then realised I needed to kill my internet connection (normally this is the first thing I do but I stupidly forgot) as more and more files were being downloaded. Many of the files were listed as letters of the alphabet and were simply labelled: a.tmp, b.tmp, c.tmp and so on.

During this, in the System Tray, an icon that looked like the Windows Security Centre red warning shield appeared. It was almost identical looking but looked a ever so slightly different in shape and colour. It kept bringing up a balloon saying that my PC had been infected by a virus. Closing it would only keep it away for a few seconds. At the same time, a window would pop-up trying to access a website. As I had switched off my router I don't know what this would have shown.

I ran MBAM soon after and it successfully managed to kill multiple viruses. Using Quick Scan, it found about 6-8 viruses near the beginning of the scan and then near the end, that number went right up. Two of them could only be removed on a reboot.

Upon reboot the system appeared clean and that bogus Security Centre icon had gone. I ran MBAM again, which didn't find anything. However, Windows Security Centre had been switched off, as had the firewall. I could switch the firewall back on after I received a warning that certain services had been stopped but Security Center doesn't show any status now. Nothing appears in System Tray and looking at its main window, there are no longer status panels for the firewall, Windows Updates or the Anti-Virus software. Also, on the left hand side of the window, in the Resources panel, "Change the way Security Centre alerts me" has been greyed out and disabled.

CheckDisk is working fine. System Restore will let me make a new Restore Point and even allow me to load an earlier one but upon a reboot, it always says that the restore has failed.

I also get an error on bootup that PadExe.exe has encountered a problem and has stopped working. Thankfully, I use a mouse so I can still use the PC but this is annoying nonetheless. Like my previous infection, I encountered this error before.

Lastly, upon reboot, I see the Temp folder always has the same two files/folders. I can delete them manually without trouble but they always return. There is one single file called FEE5E75C.TMP and one folder called WPDNSE. The folder is always empty. They return upon every reboot but the date and time are different each time they are newly created. They do not have the current date and time that the PC has started up. I don't know if these are something malicious or not.

I don't know if my system is clean and that the problems with Security Centre, System Restore and PadExe are down to damage. To be certain though, I ask again for your help. I've also realised not to visit image hosting sites in the future, no matter what the content, as it appears too risky.

Seeing as I am familiar with the initial details, I have copied and pasted the MBAM log that showed the viruses, followed by a HijackThis log.



MBAM log:


Malwarebytes' Anti-Malware 1.41
Database version: 2852
Windows 5.1.2600 Service Pack 3

29/09/2009 00:27:46
mbam-log-2009-09-29 (00-27-46).txt

Scan type: Quick Scan
Objects scanned: 98412
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\user\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\temp\UAC3ebf.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\user\Local Settings\temp\UAC3ecf.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\temp\xomprqqowp.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\temp\d.exe (Trojan.Downloader) -> Delete on reboot.




HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:26:57, on 29/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\GetRight\GetRight.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8397 bytes





Thanks again in advance for your help and I apologise for once more taking up your time.

Regards.

[AdvancedSetup]

Hello,

Let's clean it up again and this time maybe think about changing around your security software.


Please run the following and post back the log.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[AdvancedSetup]

Please post a status update on this.

Thanks.

[Solaris_Wave]

Hello again.

Sorry I couldn't respond sooner. I was experiencing bad internet performance for the entire day yesterday. Speeds were either erratic, jumping constantly from 200KB to 400KB a second, or I was seeing virtually dial-up modem performance as I couldn't get faster than 10KB a second. It varied wherever I was downloading from and I couldn't get my usual 8Mbit speed. MBAM took twenty minutes to get the latest update. According to my ISP, there were some serious problems on the network but the area they listed it in was nowhere near where I live. It seems a lot better now so I am assuming that my speed issues were not related to any infection, although I am not 100% certain.

I successfully ran ComboFix. It took a long time to finish up, longer than when I had used it for my first infection. I didn't switch off my router while running it and I could connect to this site fine after running it, without needing to reboot.

Here are the following logs.



ComboFix.txt:


ComboFix 09-09-29.02 - user 30/09/2009 7:26.3.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\run.log

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-29 23:59 . 2009-09-29 23:59 -------- d-----w- c:\program files\FLV Player
2009-09-29 23:20 . 2009-09-30 00:03 -------- d-----w- c:\documents and settings\user\Application Data\BID
2009-09-20 19:25 . 2009-09-20 21:37 -------- d-----w- c:\documents and settings\user\DoctorWeb
2009-09-13 02:38 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 02:38 . 2009-09-13 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 02:38 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 21:37 . 2009-08-31 21:37 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 06:02 . 2007-06-28 00:17 -------- d-----w- c:\program files\GetRight
2009-09-29 23:20 . 2007-07-03 20:38 -------- d-----w- c:\program files\Bulk Image Downloader
2009-09-29 06:31 . 2008-04-20 17:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 06:28 . 2007-07-15 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-29 01:22 . 2007-12-29 12:48 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-09-04 00:19 . 2005-05-27 22:46 -------- d-----w- c:\program files\ahead
2009-09-03 23:36 . 2003-12-03 15:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 23:36 . 2007-08-13 07:14 -------- d-----w- c:\program files\Real
2009-09-03 23:32 . 2008-03-11 21:50 -------- d-----w- c:\program files\Meridian Advance
2009-09-03 01:45 . 2009-04-16 05:46 -------- d-----w- c:\program files\PicaLoader
2009-08-24 02:17 . 2009-02-27 16:43 123 ----a-w- C:\drmHeader.bin
2009-08-21 10:05 . 2009-07-17 17:33 -------- d-----w- c:\documents and settings\user\Application Data\Free Audio Editor
2009-08-21 05:10 . 2008-06-19 10:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-21 05:10 . 2008-06-19 10:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-21 05:10 . 2008-06-19 10:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\eventlog.dll
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NoAds"="c:\program files\NoAds\NoAds.exe" [2007-10-27 151552]
"Mmm"="c:\program files\HACE\Mmm\Mmm.exe" [2005-07-05 828416]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-05-23 253952]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 122880]
"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 1019904]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"LTSMMSG"="LTSMMSG.exe" - c:\windows\ltsmmsg.exe [2003-04-18 32768]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-15 73728]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-27 266240]
"TFncKy"="TFncKy.exe" [BU]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 809488]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]
Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2007-6-28 4628752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 05:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [x]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-21 335240]
S1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2008-05-24 53760]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-21 297752]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.live.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 07:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2888162382-313132713-241459312-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(424)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-09-30 7:38
ComboFix-quarantined-files.txt 2009-09-30 06:37

Pre-Run: 2,550,685,696 bytes free
Post-Run: 2,524,905,472 bytes free

125




ComboFix-quarantined-files.txt:


2009-09-30 06:32:07 . 2009-09-30 06:32:07 6,656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-09-30 06:24:47 . 2009-09-30 06:24:47 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-09-28 23:12:30 . 2009-09-28 23:12:30 10 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\run.log.vir




HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:06:52, on 30/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" (User '?')
O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" (User '?')
O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8537 bytes




I saw that error again when I tried to do a scan and log in HijackThis. It brings up an error window shortly after running a scan and then carries on after I have clicked Yes or No to send off a bug report. I haven't actually sent off a report because I didn't want to risk it interfering with the IE window I already had running (I ran HJT as I was making this post). I don't know if this error occurs because I have IE running but the error only shows up the first time and doesn't affect the scan. This time I have actually written it down and is shown as follows (I have left out certain text outside of the error code):


An unexpected error has occurred at procedure: modRegistry_IniGetString (sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument



Thank you once again for your assistance.

Regards.

[AdvancedSetup]

Please fully uninstall Spybot S&D for now.

Click on START - RUN and copy/paste the following into the run line at hit OK

CMD /C COPY c:\windows\$NtServicePackUninstall$\eventlog.dll C:\WINDOWS\SYSTEM32

Then run the following.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Windows\Sun
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java

Then from within Internet Explorer click on Tools/Internet Options/Advanced and click on the RESET button.

Now RESTART THE COMPUTER.


Then run the following

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log



Then click on START - RUN and copy/paste into the run line and hit OK

notepad c:\windows\system.ini

Then select all and copy/paste the contents back here on your next reply.


Then click on START - RUN and copy/paste into the run line and hit OK

notepad c:\windows\win.ini

Then select all and copy/paste the contents back here on your next reply.

[AdvancedSetup]

Please post a status update on this.

Thanks.

[Solaris_Wave]

Spybot was successfully uninstalled, although I had to delete an associated folder in Documents & Settings. I forgot to check Program Files until after I did all these scans and deletions. There are lots of files still in there. This may have been caused by an old Restore Point as I was unable to uninstall Spybot until I installed a new version one day before I got the recent virus infection. I didn't have TeaTimer activated, just the added Internet Explorer protection. This aside, I hadn't noticed any trouble running the tasks you asked me to do and IE7 looks like it was when I first installed it.

Java was also successfully uninstalled. I needed to manually delete Sun folders from several places after running JavaRa. In Documents & Settings, I also found the Sun folder in the "Administrator" and "Default User" folders, as well as "All Users" and "user". I removed those as well, seeing as you said to remove all versions of Java.


Here is JavaRa.log:


JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Oct 01 01:19:17 2009

Found and removed: SOFTWARE\Classes\JavaPlugin.150_03

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410200

Found and removed: SOFTWARE\Classes\JavaPlugin.142

------------------------------------

Finished reporting.





Next up is the latest MBAM log. I have run MBAM several times since the recent infection. Other than the first log I posted in this thread, MBAM has not detected anything:


Malwarebytes' Anti-Malware 1.41
Database version: 2879
Windows 5.1.2600 Service Pack 3

01/10/2009 02:09:56
mbam-log-2009-10-01 (02-09-56).txt

Scan type: Quick Scan
Objects scanned: 98398
Time elapsed: 7 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Next is System.ini:


; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app850.FON
EGA80WOA.FON=EGA80850.FON
EGA40WOA.FON=EGA40850.FON
CGA80WOA.FON=CGA80850.FON
CGA40WOA.FON=CGA40850.FON




Next is win.ini:


; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
mp3=MPEGVideo
m3u=MPEGVideo
[RAD Video Tools]
Path=C:\Documents and Settings\user\My Documents\RRogueTrooperAddons\Rogue Trooper Addons\trtraa\Sounds\Streams
BinkComp=/d650000 /m3.0 /l4 /p8
BinkMix=
SmackComp=/l104
SmackMix=/l104
BinkPlay=
SmackPlay=
BinkConv=/v
X=212
Y=123
W=563
H=538
[BOP]
forcemono=off
screensave=on
click=on
[MSUCE]
Advanced=0
CodePage=Unicode
Font=Arial



Rogue Trooper is a game and I had copied the movies to My Docs to view separately from the game. I'm not sure why the Pathname for it is still there though as neither the game nor the movies are currently on my hard disk.

After deleting Java, resetting IE7 and rebooting the PC, I see that Windows Security Centre is active again. The status panels for the Firewall, Windows Update and Virus Protection are visible once more, as is the red warning shield in the System Tray (because I have disabled Windows Updates).

I also got a notification window, upon bootup, saying that Adobe Flash Player had an update. I guess that was just coincidence and probably because I had previously told it to remind me later after 30 days.


Thanks again.

[AdvancedSetup]

Okay, let's get an AV scan from NOD32 then.

How is the computer running now? Are there still signs of an infection?


Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

• Go to http://java.sun.com/...loads/index.jsp
  
• Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
  
• In Platform box choose Windows.
  
• Check the box to Accept License Agreement and click Continue.
  
• Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
  
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  
• Uncheck the Toolbar button (unless you want the toolbar)
  
• Reboot your computer

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.
Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  
• Click Start
  
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  
• Click Scan
  
• Wait for the scan to finish
  
• Re-enable your Anvirisus software.
  
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

[Solaris_Wave]

The PC seems to be running fine so far. I haven't seen (or heard) any signs of anything nasty. I haven't yet tried performing a System Restore (after making a new Restore Point where things seem okay) to see if a Restore op will actually work once again.

The PC did appear to hang two days ago briefly. This happened during initial bootup, where you get to the Logon screen. The Windows screen saver came on as I had gone off to do something else while I was waiting for it to boot up (I often see plenty of disk access at the Logon screen so I prefer to let it do what it wants to before I log in and cause it to load up yet more). I moved the mouse and the screen went completely black. Nothing happened for just under a minute. No disk access or anything. Normally the screen saver will disappear straight away as soon as I move the mouse. However, I deliberately left it today so the screen saver would come on at the Logon screen and this time it responded fine.

Here is the log for NOD32:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=cf5e79d1be913942bfcccf9d9a7fda7f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-01 08:31:05
# local_time=2009-10-01 09:31:05 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 21 66 100 35976343437500
# scanned=382104
# found=0
# cleaned=0
# scan_time=11458



I also ran Dr. Web (although I didn't update it as I don't really know what "launch.exe" is) and that didn't find anything either. I ran that because I remember that picking up something that other software had missed during the last infection I got. I downloaded it again as I remember you asking me to use that last time, and wanted to see if anything new would appear.

Regards.

[AdvancedSetup]

Well difficult to tell. Computers can be finicky and with so many different versions of software and drivers it's a wonder they work at all.

1. Keep all Microsoft security updates up to date
2. Keep Anti-Virus up to date and always running
3. A paid version of MBAM can also help to prevent this from happening.

Uninstall the combofix as before..

Let me leave you with this though for working on speeding up the computer.

Computer and browser slowness are not always malware related

Poor performance and other problems can be the result of disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.

Listed below are a few things you can do to improve speed and system performance. Many of the these suggestions will apply if you're using Windows Vista but may be done a bit differently. Near the bottom of this thread there is a section specifically devoted to Vista Users.

For browser problems, see:

• Its not always malware: How to fix the top 10 Internet Explorer issues
  
• How and Why to Clear Your Cache

If your having connectivity issues or errors such as Page cannot be displayed see

• Repair/Reset Winsock settings
  
• Troubleshooting Internet Connection Problems

If you're using Vista or Internet Explorer 7, see

• Why is my Internet connection so slow?
  
• Windows Vista - My Internet connection is slow
  
• The Phishing Filter may slow down the PC
  
• Tuning IE7 for Better Performance
  
• How to optimize or reset Internet Explorer 7

If you have a lot of toolbars and add-ons attached to Internet Explorer, you could try improving performance by disabling those which are unecessary. See:

• Control Internet Explorer Add-ons with Add-on Manager
  
• Troubleshooting and Internet Explorer’s (No Add-ons) Mode

Vista users see:

• Internet Explorer Add-ons FAQs

Clean up your hard drive by removing unused programs and transferring old data, pictures, music files to a CD or an external hard drive.

When you have moved/saved the files you want to keep, run Disk Cleanup and let it scan your system for files to remove. Don’t clean out the Prefetch folder - This is a common myth that will not improve performance.

You may be instructed to remove prefetch files if you had experienced some virus/malware issues otherwise removing prefetch files is not really necessary. Although the prefetch folder can become quite bloated in time, removing old prefetch data as a matter of routine is not recommended. Your boot time immediately after clearing the prefetch folder is much slower...but it will speed up after the first reboot when windows begins to put back some of the files that you removed.

As an alternative to Disk Cleanup you can download and scan with CCleaner.
(Scroll to the last one and click the "CCleaner Slim"...it has no toolbar that comes packaged with it)

• After installation, see see the CCleaner Tour: Using and Understanding CCleaner
  
• Make sure you go to Options-->Advanced and uncheck the box to Only delete files in Windows Temp folders older than 48 hours before running a scan
  
• An added benefit of using CCleaner is the Issues scan which allows you to clean the registry
  
• Always back up your registry before making any changes

Check for any unnecessary running services

If you have a typical installation, many services are configured as "automatic"; that is, they start automatically when the system starts or when the service is called for the first time. Use Black Viper's "Services Configuration" to help fine tune this area.

Check for disk errors by running CHKDSK in "SAFE MODE" or from the Recovery Console

In the Check Disk dialog box, select the "Scan for and attempt recovery of bad sectors" check box, click "Start" and have it repair anything it finds. As you use your hard drive, it can develop bad sectors which slow down hard disk performance and make data writing difficult. Check Disk scans the hard drive and verifies the logical integrity of a file system by checking for system errors, lost clusters, lost chains, and bad sectors. When encountering logical inconsistencies in file system data, it will perform the necessary actions to repair the file system data.

Check for damaged, altered or missing critical system files by running the System File Checker

If SFC discovers that a protected file has been damaged, altered or missing, it restores the correct version of the file from the cache folder.
You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.

Defrag your system

Disk fragmentation slows the overall performance of your system. When files are fragmented, the computer must search the hard disk when a file is opened. Disk Defragmenter consolidates fragmented files and folders on the hard disk so that each occupies a single space on the disk. This speeds up reading and writing to the disk. Read "The Importance of Disk Defragmentation" for instructions.

Note: It is recommended to shut down all applications (including your Anti-virus) before running Defrag to ensure that no programs attempt to write to the drive while it is being defragmented. Not doing so may cause you to have to restart the entire process. If you have disabled all running programs and still find that the defrag routine is constantly interrupted, you can defrag from "SAFE MODE".

Check for any unnecessary applications loading at startup when Windows boots by using MSConfig

Some startup programs are necessary so be careful what you disable. If you are unsure what any of the startup entries are or if they are safe to disable, then search one of the following Startup Databases:

• StartupList Index
  
• Startup Programs Database

Note: MSConfig.exe is a troubleshooting utility used to diagnose system configuration issues. Although it works as a basic startup manager, msconfig should not be used routinely to disable auto-start programs. It is a temporary solution and not a good practice for several reasons. When uninstalling programs while disabled with msconfig, they may not be uninstalled properly and orphaned entries often will be left behind. When used to switch back to normal startup mode, these orphan entries can result in boot up errors. Further, msconfig does not list all applications loaded in all possible startup locations (some entry points are hidden and unknown to the user) and does not allow the complete removal of disabled entries from its list.

You should not use msconfig to disable startup applications related to a running service. Doing so alters the registry and there are services that are essential for hardware and booting. When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer. You should only disable services using Control Panel-->Administrative Tools-->Services.

A better alternative is to use a startup manager. If you have Spybot S&D installed, launch it, go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled. Other startup managers you can download and use for free are:

• Startup Control Panel,
  
• Autoruns,
  
• Starter by CodeStuff, and
  
• StartUpLite by RubberDucky.

Remove any third party "Memory Manager" or "Optimizer"

Windows XP memory management was designed to make the best use of Ram and these memory management utilities defeat that purpose. They push applications out of RAM into the pagefile, creating holes in the RAM and slowing down your computer's performance by doing so.

Disable some visual effects

While visual embellishments may be attractive, they don’t do anything else for you. Disabling some of them frees up system resources and makes the operating system perform better.

• Right click My Computer, choose Properties-->Advanced then click on Settings
  
• In the Visual Effects tab, select Adjust for best performance or uncheck all the visual effects, except for the last three
  
• Click "Apply", then "Ok", then "Ok" again
  
• Then right click your Desktop and choose Propertie-->Appearance-->Effects
  
• Uncheck the first two boxes and hit "OK"

Add more RAM

This is a quick solution that can have a dramatic affect on your system's speed and responsiveness. You can check how much RAM you have by going to Start-->Program Files-->Accessories-->System Tools-->System Information and look at your System Summary. For more info see "Understanding, Identifying and Upgrading the RAM in your PC".

For more suggestions and performance tips read:

"Restore Your Computer's Performance with Windows XP"
"XP Performance Tweaks"
"Performance Boost for XP"

For Vista Users:

Vista Features Explained: Performance
Vista Features Explained: SuperFetch
SuperFetch & ReadyBoost
Tips to boost Vista performance
Windows Vista Performance Tuning
Top 12 Tweaks To Improve Vista Looks and Performance

When you are all done be sure to Create a new Restore Point to enable your computer to "roll-back" to a clean working state keeping all the changes you just made. Then use Disk Cleanup to "remove all but the latest Restore Point".

Vista Users can refer to these links:

• Create a New Restore Point
  
• Disk Cleanup

[Solaris_Wave]

Thank you for all of those tips. They will come in handy if I ever need to reinstall Windows on this PC or buy a new machine. This laptop is old now (dated late 2003) but I do very little PC gaming, so have never felt truly pushed to replace it. It feels like it was limited from the very beginning though as the graphics chip can't handle very much. I had to upgrade the RAM to improve performance but even now, any webpages with Flash animations cause the PC to become sluggish. Even simple things like mouse wheel scrolling becomes laboured if Flash ads are on the page.

Seeing as one of the main viruses that infected my PC this time was identical or related to the one that infected my PC before, when I needed your help, is it worth running any of the other commands that you advised me to do in my other thread? Commands such as flushing the DNS, resetting the firewall, IP reset and so on? Would it cause a problem if I did it just to be on the safe side? If I was worried about router security the last time round, could I not be under the same threat again (even though I never kept the default password)?

I'll certainly be buying the registered version of MBAM as it has done a fantastic job in finding lots of nasties (and just as importantly, killing them). I'm thinking I may need to buy better anti-virus software as well. I am currently using AVG 8.5 Free but haven't really tried anything else other than sluggish Norton Internet Security. Is there one you would recommend? Just as importantly, is there a firewall you would recommend buying? Are "Internet Suites" that have a firewall and anti-virus by the same developer better than separate ones, due to not needing multiple software engines running, or does it not really matter? ZoneAlarm Pro is supposed to be a good firewall but I always read that their anti-virus software is lacking.

Thanks again.

[AdvancedSetup]

Well the Avira FREE version works quite well I think (no official tests but for me seems to work much better than AVG, YMMV)
ZoneAlarm used to be a great product but now days it's a pig and very problematic.

If you follow along with that big article there are a lot of nice tips and tricks to speed up your PC especially because it's old and needs cleaning, trimming of the fat so to speak.

No, I've never heard of any router attacks that were able to bypass a password as long as it was not an easy one to guess.

For the most part IMHO a lot of this firewall discussion is a bit misleading. The reason I think so is that port scanning or getting Malware onto your box is not going to be stopped by a firewall alone. Having a firewall that you watch and pay attention to might at times show you that something is on your box and is trying to get out and it might stop it. That's good, but a lot of the current Malware comes right onto the box via mail or P2P or Web browsing which a firewall that you can afford isn't going to do much about. Even the multi-thousand dollar Cisco hardware firewalls can't stop a lot of this stuff any better. Then when it gets on your box it often kills the firewall and any Anti-Virus and Anti-Malware software it can find.
So yes it's good to have an inbound/outbound monitoring firewall but it's not the end all fix that some think it is.
The choice for a firewall though has become quite limited these days as many of them are not what they used to be. They've branched out into Anti-Malware and Anti-Virus suites themselves.

This one is supposed to still be pretty good: Online Armor Free

[Solaris_Wave]

ComboFix has been successfully uninstalled I believe. I did actually get worried at first that it was going to start scanning and cleaning again. Even though I used the /u switch, it was telling me it was about to run and to disable my anti-virus. I didn't disable AVG and instead of clicking the OK button on ComboFix's windows I was trying to close them. It ran anyway without my attempts to close the windows the normal way and appeared to uninstall, despite not switching off AVG or pressing OK.

Is there anything else I need to do at this point? Is it worth running any of the other commands that you posted for my other thread, due to the infection behaving in a similar fashion, such as the following:

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30
CMD /C NETSH FIREWALL RESET
CMD /C NETSH int ip reset c:\resetlog.txt
CMD /C IPCONFIG /flushdns
CMD /C arp -d *
CMD /C netstat -a >C:\connections.txt
CMD /C fsutil fsinfo statistics c: >c:\drivestats.txt


As for the firewall, I'll most likely give ZoneAlarm Pro a miss. I'll use Online Armour Free for now but looking at the extra functions provided by the paid version makes me think I should at least buy a firewall to get added protection. ZoneAlarm did get good reviews but if you say it has become bloated then I doubt it will be much more pleasant to use than Norton's offering, which caused my PC to sweat. As you say though, there is only so much they can do. The main virus that got onto my system from the website dropped right in, past AVG's nose and then deliberately switched off XP's firewall. I wouldn't be surprised if it could do that with Norton, McAfee and ZoneAlarm.

Regards.

[AdvancedSetup]

Yep, once they slip in they often don't seem to have an issue shutting off any other program they want to shut off.

It's up to you but probably not really needed to run those, but no harm either. Always good to know what's on your system and how it's running.


Okay I'll close your post then and if you need further assistance please make a new post.