Hello,
As you so kindly helped me out previously, i am again seeking your help. (by the way, i've been telling everyone about this site and MalwareBytes - you guys are amazing and deserve recognition!)
Anyways, having problems with my laptop, have run MalwareBytes and have attached the log (i couldn't post the log because it was too big!)
Please please can someone have a look, and help me out - I would really really appreciate it
Many many thanks
Sapna
Full Version: Laptop infected - please help - Malware LOG ATTACHED
Please restart your computer and check for MBAM updates and run a NEW Quick Scan and post back that log.
Hi,
Could prove difficult, as at the moment can't get on internet with the laptop!
Would it work if i used another laptop, updated malwarebytes, then burned on disc and loaded onto the infected laptop, and re-ran the scan?
Thanks.
Could prove difficult, as at the moment can't get on internet with the laptop!
Would it work if i used another laptop, updated malwarebytes, then burned on disc and loaded onto the infected laptop, and re-ran the scan?
Thanks.
Yes you can do that.
Update MBAM from another computer and copy this file to the infected computer.
The location of the file for updates is:
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
You just need to copy the rules.ref file to the infected computer and run a new Quick Scan.
You may want to try the following to see if you can correct the network not working.
Click on START - RUN and copy / paste the entry below into the run line and click OK
Click on START - RUN and copy / paste the entry below into the run line and click OK
Update MBAM from another computer and copy this file to the infected computer.
The location of the file for updates is:
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
You just need to copy the rules.ref file to the infected computer and run a new Quick Scan.
You may want to try the following to see if you can correct the network not working.
Click on START - RUN and copy / paste the entry below into the run line and click OK
CODE
CMD /C NETSH FIREWALL RESET
Click on START - RUN and copy / paste the entry below into the run line and click OK
CODE
CMD /C NETSH int ip reset c:\resetlog.txt
Please post a status update.
Thanks.
Thanks.
Are you still with us?
Hi there, sorry been away from home - gonna try the above and come back to you!! thank so much! 
)
)
OK, so this is not going very well...
I first tried to do the resets in RUN so that I am able to just update MB from the infected laptop, but it doesn't work. I have a connection but no pages load up.
So i updated MB on clean laptop, copied onto disc and tried to run it on infected, but for some reason it won't let me run it.
Also, i'm unsure what you mean by copying the rules.ref?? I can't find it in the MB file?
I don't know if i'm being really stupid!?!?!?!
Thanks again for your time and help.
I first tried to do the resets in RUN so that I am able to just update MB from the infected laptop, but it doesn't work. I have a connection but no pages load up.
So i updated MB on clean laptop, copied onto disc and tried to run it on infected, but for some reason it won't let me run it.
Also, i'm unsure what you mean by copying the rules.ref?? I can't find it in the MB file?
I don't know if i'm being really stupid!?!?!?!
Thanks again for your time and help.
Please see option 4 here: http://www.malwarebytes.org/forums/index.php?showtopic=10138
That should show you where to get the rules.ref file. You might have to unhide folders to see it though.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.
There are some other ideas and methods to help you get the scanner running in that FAQ.
You might need to try to rename MBAM.EXE to MBAM.COM or something like that. Try that and let me know how it goes and what issues or errors you run into and we'll go from there.
That should show you where to get the rules.ref file. You might have to unhide folders to see it though.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.
There are some other ideas and methods to help you get the scanner running in that FAQ.
You might need to try to rename MBAM.EXE to MBAM.COM or something like that. Try that and let me know how it goes and what issues or errors you run into and we'll go from there.
Hi there,
Ok, so i tried to unhide files on my uninfected laptop (which runs on Vista) and it still won't show me the rules.ref file that i need.
(I tried it on the infected laptop [which runs on XP] and it shows the rules.ref file - but obviously it's not the updated version!!)
I tried point 8, just to make sure, and the infected laptop still does not load up any pages.
Is there any other way I can get the rules.ref to show on the uninfected laptop, so I can burn it on CD and run it on the other laptop? The scan works but obviously its running on an older version of MB and I need to update it to post you the correct log!
Thanks.
Ok, so i tried to unhide files on my uninfected laptop (which runs on Vista) and it still won't show me the rules.ref file that i need.
(I tried it on the infected laptop [which runs on XP] and it shows the rules.ref file - but obviously it's not the updated version!!)
I tried point 8, just to make sure, and the infected laptop still does not load up any pages.
Is there any other way I can get the rules.ref to show on the uninfected laptop, so I can burn it on CD and run it on the other laptop? The scan works but obviously its running on an older version of MB and I need to update it to post you the correct log!
Thanks.
Please try to burn this to a CD and then copy it to the infected computer and run it.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
----------------------------------------------------------- - Double click on combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
Please post a status update on this.
Thanks.
Thanks.
Hi,
Started to try this yesterday - came across a few problems.
Am going to attempt again tonight, and will come back to you a little later this evening.
Thanks and kind regards
Sapna
Started to try this yesterday - came across a few problems.
Am going to attempt again tonight, and will come back to you a little later this evening.
Thanks and kind regards
Sapna
hello,
I burnt MB on to disc, placed it in the infected laptop, and tried to run it. But it won't let me!
Can I/Should I run ComboFix without having run MB?
Thanks.
I burnt MB on to disc, placed it in the infected laptop, and tried to run it. But it won't let me!
Can I/Should I run ComboFix without having run MB?
Thanks.
Oh no...scrap the above!!
I removed AVG from the infected laptop, and am able to now get on the internet with it...yay!!!
SO, I am currently running a scan, once complete i will post the log.
Should I also run ComboFix?
Thanks!!
I removed AVG from the infected laptop, and am able to now get on the internet with it...yay!!!
SO, I am currently running a scan, once complete i will post the log.
Should I also run ComboFix?
Thanks!!
sorry, another question...I've re-read above, and understand to run ComboFix too.
can you please clarify if i by a new hijackthis log", you mean i should start a new thread or just carry on here??
Many thanks!
can you please clarify if i by a new hijackthis log", you mean i should start a new thread or just carry on here??
Many thanks!
Ok...i've run the scans and both are attached.
many thanks for your help!!
MalwareBytes Log:
Malwarebytes' Anti-Malware 1.41
Database version: 2796
Windows 5.1.2600 Service Pack 2
14/09/2009 19:17:07
mbam-log-2009-09-14 (19-17-07).txt
Scan type: Quick Scan
Objects scanned: 108386
Time elapsed: 9 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix Log:
ComboFix 09-09-14.01 - Martina Kane 14/09/2009 19:29.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.159 [GMT 1:00]
Running from: c:\documents and settings\Martina Kane\Desktop\Combo-Fix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Martina Kane\Application Data\WeatherDPA
c:\documents and settings\Martina Kane\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Martina Kane\Desktop\Download programs.url
c:\documents and settings\Martina Kane\Desktop\Games.url
c:\documents and settings\Martina Kane\Desktop\Translator.url
c:\documents and settings\Martina Kane\Desktop\Videos.url
c:\documents and settings\Martina Kane\Favorites\Download programs.url
c:\documents and settings\Martina Kane\Favorites\Games.url
c:\documents and settings\Martina Kane\Favorites\Translator.url
c:\documents and settings\Martina Kane\Favorites\Videos.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Download programs.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Games.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Translator.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Videos.url
c:\windows\Installer\1e4d6.msi
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.
2009-09-14 17:25 . 2009-09-14 17:25 -------- d-----w- c:\documents and settings\Martina Kane\Application Data\AVG8
2009-09-06 15:27 . 2009-09-06 15:30 -------- d-----w- c:\documents and settings\Martina Kane\Local Settings\Application Data\MigWiz
2009-09-06 15:21 . 2006-11-02 07:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2009-09-06 15:21 . 2006-11-02 06:07 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll
2009-09-06 15:20 . 2009-09-06 15:20 -------- d-----w- c:\program files\Microsoft
2009-09-06 11:40 . 2009-09-06 11:40 -------- d-----w- c:\documents and settings\Martina Kane\Application Data\Malwarebytes
2009-09-06 11:40 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 11:39 . 2009-09-06 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 11:39 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 11:39 . 2009-09-14 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 11:14 . 2009-09-06 11:21 -------- d-----w- C:\$AVG8.VAULT$
2009-08-15 19:54 . 2009-09-14 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 18:37 . 2008-04-13 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-14 17:21 . 2006-05-23 10:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 17:21 . 2006-05-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 17:21 . 2006-05-23 10:57 -------- d-----w- c:\program files\Symantec
2009-09-14 16:47 . 2008-04-21 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-13 07:16 . 2008-02-25 17:24 -------- d-----w- c:\program files\Lx_cats
2009-09-06 15:29 . 2009-09-06 15:29 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-05 09:11 . 2006-05-23 06:26 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2006-05-23 06:25 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-05-23 06:26 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 15:59 . 2006-05-23 06:26 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2006-05-23 06:26 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:17 . 2006-05-23 06:26 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-05-23 06:26 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-05-23 06:26 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-05-23 06:26 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2006-05-23 06:26 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-05-23 06:26 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:35 . 2006-05-23 06:26 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-11 266240]
"Zooming"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2005-06-06 24576]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2006-01-03 28672]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"CFSServ.exe"="CFSServ.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2008-8-30 1261568]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcecoms.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 15:12 98816]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [07/10/2007 10:57 17149]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [30/08/2008 12:14 194304]
.
Contents of the 'Scheduled Tasks' folder
2009-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 15:39]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-avgrsstarter - avgrsstx.dll
Notify-WgaLogon - (no file)
AddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 19:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-356527333-3197801718-3462220319-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,02,99,a7,75,58,17,9d,5d,16,86,04,2e,25,ab,13,7d,34,4d,32,9e,b3,eb,
33,a2,1d,20,6d,54,64,72,34,14,d6,95,b6,44,8f,c3,0a,e5,ba,9c,4e,0f,f5,97,8c,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\RtlGina2.dll
.
Completion time: 2009-09-14 19:41
ComboFix-quarantined-files.txt 2009-09-14 18:40
Pre-Run: 15,456,034,816 bytes free
Post-Run: 16,034,762,752 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
178 --- E O F --- 2009-09-13 07:26
many thanks for your help!!
MalwareBytes Log:
Malwarebytes' Anti-Malware 1.41
Database version: 2796
Windows 5.1.2600 Service Pack 2
14/09/2009 19:17:07
mbam-log-2009-09-14 (19-17-07).txt
Scan type: Quick Scan
Objects scanned: 108386
Time elapsed: 9 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix Log:
ComboFix 09-09-14.01 - Martina Kane 14/09/2009 19:29.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.159 [GMT 1:00]
Running from: c:\documents and settings\Martina Kane\Desktop\Combo-Fix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Martina Kane\Application Data\WeatherDPA
c:\documents and settings\Martina Kane\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Martina Kane\Desktop\Download programs.url
c:\documents and settings\Martina Kane\Desktop\Games.url
c:\documents and settings\Martina Kane\Desktop\Translator.url
c:\documents and settings\Martina Kane\Desktop\Videos.url
c:\documents and settings\Martina Kane\Favorites\Download programs.url
c:\documents and settings\Martina Kane\Favorites\Games.url
c:\documents and settings\Martina Kane\Favorites\Translator.url
c:\documents and settings\Martina Kane\Favorites\Videos.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Download programs.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Games.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Translator.url
c:\documents and settings\Martina Kane\Start Menu\Programs\Videos.url
c:\windows\Installer\1e4d6.msi
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.
2009-09-14 17:25 . 2009-09-14 17:25 -------- d-----w- c:\documents and settings\Martina Kane\Application Data\AVG8
2009-09-06 15:27 . 2009-09-06 15:30 -------- d-----w- c:\documents and settings\Martina Kane\Local Settings\Application Data\MigWiz
2009-09-06 15:21 . 2006-11-02 07:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2009-09-06 15:21 . 2006-11-02 06:07 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll
2009-09-06 15:20 . 2009-09-06 15:20 -------- d-----w- c:\program files\Microsoft
2009-09-06 11:40 . 2009-09-06 11:40 -------- d-----w- c:\documents and settings\Martina Kane\Application Data\Malwarebytes
2009-09-06 11:40 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 11:39 . 2009-09-06 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 11:39 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 11:39 . 2009-09-14 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 11:14 . 2009-09-06 11:21 -------- d-----w- C:\$AVG8.VAULT$
2009-08-15 19:54 . 2009-09-14 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 18:37 . 2008-04-13 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-14 17:21 . 2006-05-23 10:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 17:21 . 2006-05-23 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 17:21 . 2006-05-23 10:57 -------- d-----w- c:\program files\Symantec
2009-09-14 16:47 . 2008-04-21 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-13 07:16 . 2008-02-25 17:24 -------- d-----w- c:\program files\Lx_cats
2009-09-06 15:29 . 2009-09-06 15:29 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-05 09:11 . 2006-05-23 06:26 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2006-05-23 06:25 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-05-23 06:26 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 15:59 . 2006-05-23 06:26 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2006-05-23 06:26 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:17 . 2006-05-23 06:26 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-05-23 06:26 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-05-23 06:26 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-05-23 06:26 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2006-05-23 06:26 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-05-23 06:26 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:35 . 2006-05-23 06:26 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-11 266240]
"Zooming"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2005-06-06 24576]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2006-01-03 28672]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"CFSServ.exe"="CFSServ.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2008-8-30 1261568]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcecoms.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 15:12 98816]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [07/10/2007 10:57 17149]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [30/08/2008 12:14 194304]
.
Contents of the 'Scheduled Tasks' folder
2009-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 15:39]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-avgrsstarter - avgrsstx.dll
Notify-WgaLogon - (no file)
AddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 19:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-356527333-3197801718-3462220319-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,02,99,a7,75,58,17,9d,5d,16,86,04,2e,25,ab,13,7d,34,4d,32,9e,b3,eb,
33,a2,1d,20,6d,54,64,72,34,14,d6,95,b6,44,8f,c3,0a,e5,ba,9c,4e,0f,f5,97,8c,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\RtlGina2.dll
.
Completion time: 2009-09-14 19:41
ComboFix-quarantined-files.txt 2009-09-14 18:40
Pre-Run: 15,456,034,816 bytes free
Post-Run: 16,034,762,752 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
178 --- E O F --- 2009-09-13 07:26
Looks pretty good now.
Yes it appears that AVG had a false positive and was actually deleting MBAM
Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.
STEP A
Then run the following.
Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.
Run Eset NOD32 Online AntiVirus
Note: You will need to use Internet Explorer for this scan.
Yes it appears that AVG had a false positive and was actually deleting MBAM
Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.
STEP A
Uninstall ComboFix.exe
- Click START then RUN
- Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
- When shown the disclaimer, Select "2"
Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed
Then run the following.
Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.
Run Eset NOD32 Online AntiVirus
Note: You will need to use Internet Explorer for this scan.
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
- Click Start
- Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
- Click Scan
- Wait for the scan to finish
- Re-enable your Anvirisus software.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Please post a status update on this.
Thanks.
Thanks.
Hi there,
It's amazing the laptop boots up quicker - already notice the difference!
Please find below the log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=5b28c1614648674bbd7d8fa1b6eb4a1c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-15 06:37:44
# local_time=2009-09-15 07:37:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# scanned=66618
# found=0
# cleaned=0
# scan_time=2347
Looks good?
Thanks.
It's amazing the laptop boots up quicker - already notice the difference!
Please find below the log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=5b28c1614648674bbd7d8fa1b6eb4a1c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-15 06:37:44
# local_time=2009-09-15 07:37:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# scanned=66618
# found=0
# cleaned=0
# scan_time=2347
Looks good?
Thanks.
Yep, looks good.
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Remove all but the most recent Restore Point on Windows XPYou should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
- Give the new Restore Point a name, then click "Create".
- The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then use the Disk Cleanup to remove all but the most recently created Restore Point.
- Go to Start > Run and type: Cleanmgr.exe
- Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
- Click the "More Options" tab, then click the "Clean up" button under System Restore.
- Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
- Click Yes, then click Ok.
- Click Yes again when prompted with "Are you sure you want to perform these actions?"
- Disk Cleanup will remove the files and close automatically.
- On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
- These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
Thank you very much for all your help...
I really appreciate it...
You guys are brill and have helped me for the second time!!!
thanks again!
I really appreciate it...
You guys are brill and have helped me for the second time!!!
thanks again!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.