?
Solved

Infected with worm.win32.netsky

Posted on 2010-01-10
31
Medium Priority
?
1,477 Views
Last Modified: 2013-11-22
My son's pc has a virus. On startup, we get a message saying that the pc is infected with worm.win32.netsky. Also, an icon (red circle with a cross in it) comes up in the system tray telling me to click it to download a virus checker. It does a free scan and reports dozens of serious and critical threats, then asks you to buy the tool. I tried doing scans in safe mode, but to no avail. Worse still, I cannot connect to any internet site (keeps saying page could not be found), I cannot do CTRL-ALT-DEL (a message keeps telling me it has been disabled my the administrator, ditto REGEDIT.

I have looked for a solution on here, but they all suggest downloading tools, which I can't do as this virus seems to have disabled me getting on the net.

One other thing, when windows did its pre-bootup scan it detected an infected file called ufxw.exe, which I deleted. I cannot find any info on this file. What is it, and have I done any harm to the running of the pc by deleting it?

The pc in question is running Windows XP. Can someone please offer some help on how I can get the pc cleaned up (especially as so many features have been disabled)? If your suggestions include downloading software, please advise if they can be downloaded on my laptop to a memory stick and transferred to the infected pc.
0
Comment
Question by:y2jk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 10
  • 3
  • +3
31 Comments
 
LVL 11

Expert Comment

by:dekkar
ID: 26279284
how long has this been going on for?

are you able to do a system restore back to a date where it wasnt infected?

Try going into safe mode (keep pressing F8 as the computer starts up.... before the windows logo appears)

go into start --> All Programs --> accessories --> System tools --> System restore.

This is a start...
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 26279320
0
 
LVL 6

Expert Comment

by:automationstation
ID: 26279327
Unfortunately once your machine has been compromised, there is not real way to telling how extensive the damage is. The best (and in my opinion) way to fix this is to use your system restore CD or install windows from scratch. This will reformat your hard drive and you would lose all files on the box, but this is really the only way to be sure you will no longer have any virus left.

If you are looking for a good AV solution, we recommend and sell ESET Smart Security or ESET Antivirus
http:///www.eset.com
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 22

Accepted Solution

by:
optoma earned 1000 total points
ID: 26279387
Try accessing safe mode with networking to download the following:

Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
Combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Malwarebytes http://www.malwarebytes.org/mbam-download.php

Rename Combofix and Malwarebytes prior to saving to desktop
Follow Combofix's running steps

Attach both logfiles here after

If using a memory stick for transfer  run Flash Disenfector on clean machine first
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
-Download to desktop
-Run it
-Follow prompts
-When asked, plug in memory stick
-It will prompt when scan is finished
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26281702
If you manage to run Combofix even without fixing the messed up policies then that should be good, and attach the logfile for us to analyze.

You need to be careful what scanners to use when netsky is present because some scanners will just delete the bad files but missed to remove the relevant registry entries leaving the pc unbootable or user unable to login.

Try these tools to temporarily fix policies
1.  You can download this zipfile, extract it, then rightclick on the "VArestorepolicies.inf" and select Install.  
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip 
2. Or, FixPolicies.exe.
Please download FixPolicies.exe by Bill Castner and save it to your desktop.
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

3. Or this:
Task manager, msconfig, and regedit
http://www.dougknox.com/xp/utils/xp_emerutils.htm
0
 

Author Comment

by:y2jk
ID: 26281828
rpggamergirl:- I didn't think I was a complete novice at pc's, but what are policies, and what are your suggestions above supposed to fix? I'm afraid I just don't understand what you're advising on. I could just follow your suggestions blindly (especially no.3, as I cannot do regedit anymore, it has been "disabled"), but I would rather understand what your telling me first. Could you explain?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 26282310
open the links rpg provided like:

These programs are extremely helpful, and usually necessary in  helping to rid your computer of a viral infection.  Many virus programs  will intercept these programs, based on their original file name, and prevent  them from running.  The alternate copies will not encounter this problem.   Simply navigate to the C:\EmergencyUtils folder and double click the file you  need to run.
0
 

Author Comment

by:y2jk
ID: 26287747
dekkar - couldn't do what you suggested. Even in safe mode, it said System Restore has been disabled by Group Policy. Contact domain administrator. This is a home pc, by the way.

optoma - followed your advice. The first time I ran Combofix (in safe mode), it rebooted in normal mode then hung for about 20 minutes, so I killed it and started again. The second time, it did not reboot, and produced a log which I attach below. However, I assume it is a much cleaner log than the first one would have been as it did not delete a lot of files at the end of the scan (like it did the first time). I also ran Malwarebytes, but I cannot find the log!! It deleted about 219 infected files, and the results looked very similar to Spybot and Ad-Aware which I have used before, so I'm not so bothered about that log (unless you think it is important). I am now able to do CTRL-ALT-DEL and run regedit and msconfig. Haven't tried a system restore yet, but for now I'll assume it will work.

Anyway, ComboFix log attached:

ComboFix 10-01-11.01 - Administrator 11/01/2010  19:48:28.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.747 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ASCbFx.exe
AV: avast! antivirus 4.8.1169 [VPS 100111-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Michael\Local Settings\Application Data\jymmku\ciaksysguard.exe
c:\program files\Uninstall Fun Web Products.dll
c:\windows\bemark2.dat
c:\windows\f49f4daa.dat
c:\windows\fmark2.dat
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\NTSVc.ocx
c:\windows\system32\smss32.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\tmark2.dat

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


(((((((((((((((((((((((((   Files Created from 2009-12-11 to 2010-01-11  )))))))))))))))))))))))))))))))
.

2010-01-10 17:58 . 2010-01-10 17:58      33792      ----a-w-      C:\umgwljsb.exe
2009-12-27 23:07 . 2009-12-27 23:07      --------      d-----w-      c:\program files\InterActual
2009-12-20 22:33 . 2009-12-20 22:33      1956528      ----a-w-      c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 19:46 . 2008-11-17 17:59      90624      ----a-w-      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 14:29 . 2008-11-11 18:18      --------      d-----w-      c:\documents and settings\All Users\Application Data\NOS
2009-12-17 14:19 . 2009-11-15 16:47      79488      ----a-w-      c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-06 18:35 . 2009-11-29 18:41      --------      d-----w-      c:\documents and settings\Michael\Application Data\HpUpdate
2009-11-29 18:41 . 2008-08-17 17:45      --------      d-----w-      c:\program files\HP
2009-11-08 15:40 . 2005-10-04 15:08      90624      ----a-w-      c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 20:42 . 2009-10-02 20:17      195456      ------w-      c:\windows\system32\MpSigStub.exe
2009-10-29 07:46 . 2004-08-10 11:51      832512      ----a-w-      c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 11:51      78336      ----a-w-      c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 11:50      17408      ----a-w-      c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 11:51      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:51      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00      265728      ----a-w-      c:\windows\system32\drivers\http.sys
2006-06-02 13:25 . 2006-06-02 13:25      56      --sh--r-      c:\windows\system32\56B751A2AE.sys
2006-05-03 09:06 . 2007-08-01 20:11      163328      --sh--r-      c:\windows\system32\flvDX.dll
2006-06-02 13:25 . 2006-06-02 13:25      1056      --sha-w-      c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2007-08-01 20:11      31232      --sh--r-      c:\windows\system32\msfDX.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-19 196608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-14 98304]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 185632]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 79224]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute      REG_MULTI_SZ         \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XpDis0Conf]
2004-02-23 15:51      32768      ----a-w-      c:\progra~1\Belkin\BELKIN~1\TOOL\WinXPDisableZeroConfigation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/05/2008 21:46 75856]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/05/2008 21:46 20560]
S2 Registry Helper Service;Registry Helper Service;c:\program files\Registry Helper\RegistryHelperService.exe [24/09/2009 14:07 83328]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [05/11/2007 20:22 1527900]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [23/12/2007 17:51 91392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper      REG_MULTI_SZ         getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.co.uk/myway
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Michael\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {33ACA7F1-1FD4-443B-920A-8DF313E35224} = 194.168.4.100,194.168.8.100
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-smss32.exe - c:\windows\system32\smss32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\sirenacm.dll

- - - - - - - > 'explorer.exe'(1796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-01-11  20:03:12
ComboFix-quarantined-files.txt  2010-01-11 20:02

Pre-Run: 39,530,663,936 bytes free
Post-Run: 39,492,268,032 bytes free

- - End Of File - - E3E7AF08F3DB600B5C8CE15CAB511CEB
0
 
LVL 6

Expert Comment

by:automationstation
ID: 26287817
Obviously based on these logs your machine is highly infected. Just look at all the areas that the cleaning software is finding... But what about what it is not detecting. I would again recommend resetting your computer, get a good AV solution. Reinstall your apps and move on.
0
 

Author Comment

by:y2jk
ID: 26288227
Thanks for the advice automationstation, but the pc in question is very old and is nearly fit for scrapping anyway. When it is replaced, I will definitely put a professional AV solution on it, not the freebie that's on it now (which I was told was as good as Norton, McAfee, etc), but for now I just want to rid it of it's viruses and get my son back online.

All I am really concerned about now is whether or not the pc is safe to do personal banking on, or whether I should still avoid it or any online shopping. Is there a way of telling me this from the log I posted? Or is there anything else I could / should do now to try and clean the pc up further?
0
 
LVL 22

Expert Comment

by:optoma
ID: 26288259
Could you also post Malwarebytes logfile. From your post i presume you ran it after Combofix.

Open Malwarebytes
Select "logs" and attach logfile.

Check these with online scanner and note results,if any:
http://www.virustotal.com/
C:\umgwljsb.exec:\windows\system32\56B751A2AE.sysc:\program files\Registry Helper\RegistryHelperService.exe

NB>Leave System Restore as it is for now. All restore points infected or non-infected lay dormont/in-active>>ie. pose no harm unless machine is restored!!
0
 

Author Comment

by:y2jk
ID: 26288721
Couldn't find the log so did another scan. It found another 20 or so items (a bit worrying!), here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3541
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/01/2010 23:12:07
mbam-log-2010-01-11 (23-12-07).txt

Scan type: Quick Scan
Objects scanned: 122107
Time elapsed: 10 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
0
 

Author Comment

by:y2jk
ID: 26288753
This is the result I got from virustotal.com after scanning my Malwarebytes log. It means nothing to me:

Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.11 -
AhnLab-V3 5.0.0.2 2010.01.11 -
AntiVir 7.9.1.134 2010.01.11 -
Antiy-AVL 2.0.3.7 2010.01.11 -
Authentium 5.2.0.5 2010.01.11 -
Avast 4.8.1351.0 2010.01.11 -
AVG 9.0.0.725 2010.01.11 -
BitDefender 7.2 2010.01.11 -
CAT-QuickHeal 10.00 2010.01.11 -
ClamAV 0.94.1 2010.01.11 -
Comodo 3550 2010.01.11 -
DrWeb 5.0.1.12222 2010.01.11 -
eSafe 7.0.17.0 2010.01.11 -
eTrust-Vet 35.2.7229 2010.01.11 -
F-Prot 4.5.1.85 2010.01.10 -
F-Secure 9.0.15370.0 2010.01.11 -
Fortinet 4.0.14.0 2010.01.09 -
GData 19 2010.01.11 -
Ikarus T3.1.1.80.0 2010.01.11 -
Jiangmin 13.0.900 2010.01.11 -
K7AntiVirus 7.10.944 2010.01.11 -
Kaspersky 7.0.0.125 2010.01.12 -
McAfee 5858 2010.01.11 -
McAfee+Artemis 5858 2010.01.11 -
McAfee-GW-Edition 6.8.5 2010.01.11 -
Microsoft 1.5302 2010.01.11 -
NOD32 4762 2010.01.11 -
Norman 6.04.03 2010.01.11 -
nProtect 2009.1.8.0 2010.01.11 -
Panda 10.0.2.2 2010.01.11 -
PCTools 7.0.3.5 2010.01.11 -
Prevx 3.0 2010.01.12 -
Rising 22.30.00.05 2010.01.11 -
Sophos 4.49.0 2010.01.11 -
Sunbelt 3.2.1858.2 2010.01.11 -
Symantec 20091.2.0.41 2010.01.11 -
TheHacker 6.5.0.3.146 2010.01.11 -
TrendMicro 9.120.0.1004 2010.01.11 -
VBA32 3.12.12.1 2010.01.11 -
ViRobot 2010.1.11.2130 2010.01.11 -
VirusBuster 5.0.21.0 2010.01.11 -
Additional information
File size: 10970 bytes
MD5...: b4b51ad3b18cc74f225059837aaf4bb9
SHA1..: 0f4633a0e660ea77f760fce48b035d907312690c
SHA256: a10be6d18fe68c37288700aca3d67da56099b5df79be1bebe41c68b07832b200
ssdeep: 192:9kBWt/f3eOh1rh/1Wu2u+PpNAo2UmEhbIt/fFr:KBWdd2u+PpNAo2Us
 
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
trid..: Unknown!
pdfid.: -
0
 

Author Comment

by:y2jk
ID: 26288785
Sorry, previous log was the ComboFix log. Here is the scanned Malwarebytes log:

Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.12 -
AhnLab-V3 5.0.0.2 2010.01.11 -
AntiVir 7.9.1.134 2010.01.11 -
Antiy-AVL 2.0.3.7 2010.01.11 -
Authentium 5.2.0.5 2010.01.11 -
Avast 4.8.1351.0 2010.01.11 -
AVG 9.0.0.725 2010.01.11 -
BitDefender 7.2 2010.01.11 -
CAT-QuickHeal 10.00 2010.01.11 -
ClamAV 0.94.1 2010.01.11 -
Comodo 3550 2010.01.11 -
DrWeb 5.0.1.12222 2010.01.11 -
eSafe 7.0.17.0 2010.01.11 -
eTrust-Vet 35.2.7229 2010.01.11 -
F-Prot 4.5.1.85 2010.01.10 -
F-Secure 9.0.15370.0 2010.01.11 -
Fortinet 4.0.14.0 2010.01.09 -
GData 19 2010.01.11 -
Ikarus T3.1.1.80.0 2010.01.11 -
Jiangmin 13.0.900 2010.01.11 -
K7AntiVirus 7.10.944 2010.01.11 -
Kaspersky 7.0.0.125 2010.01.12 -
McAfee 5858 2010.01.11 -
McAfee+Artemis 5858 2010.01.11 -
McAfee-GW-Edition 6.8.5 2010.01.11 -
Microsoft 1.5302 2010.01.11 -
NOD32 4762 2010.01.11 -
Norman 6.04.03 2010.01.11 -
nProtect 2009.1.8.0 2010.01.11 -
Panda 10.0.2.2 2010.01.11 -
PCTools 7.0.3.5 2010.01.11 -
Prevx 3.0 2010.01.12 -
Rising 22.30.00.05 2010.01.11 -
Sophos 4.49.0 2010.01.11 -
Sunbelt 3.2.1858.2 2010.01.11 -
Symantec 20091.2.0.41 2010.01.11 -
TheHacker 6.5.0.3.146 2010.01.11 -
TrendMicro 9.120.0.1004 2010.01.11 -
VBA32 3.12.12.1 2010.01.11 -
ViRobot 2010.1.11.2130 2010.01.11 -
VirusBuster 5.0.21.0 2010.01.11 -
Additional information
File size: 4012 bytes
MD5...: 6441caf0ded6eab9c9da1bd7eec3ac18
SHA1..: b5737f2c8f901a2718d4ce427b17ba953d962a78
SHA256: 80471eadda480220729c9dce86905392deeb716dfce942e866971f9ef641fe09
ssdeep: 48:92o8R0JCwVRB8BQtJZWHD7AtfDb7sGN7b1rc0cP/N1L2nzK:9PKyCE8+tJUHD
7ABDsGN7b1rXoN1OK
 
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
Again, means nothing to me, so an explanation of what I should do next would be much appreciated.
0
 
LVL 22

Expert Comment

by:optoma
ID: 26290562
Sorry, just check these three files with Virustotal:
C:\umgwljsb.exe
c:\windows\system32\56B751A2AE.sys
c:\program files\Registry Helper\RegistryHelperService.exe
0
 

Author Comment

by:y2jk
ID: 26296937
I cannot find any of those 3 files on the system, even when searching "hidden" files and folders. Is that a problem, should they exist?
0
 
LVL 22

Expert Comment

by:optoma
ID: 26298280
They may have been already removed on Malwarebytes first scan, if Malwarebytes scanned after Combofix.

In case there is something else lurking, could you wait until Rpggamergirl reviews this thread and further advises you.
0
 

Author Comment

by:y2jk
ID: 26321332
Fair enough. Do you know when that is likely to be? I think the pc is sorted now (it "feels" fixed at least), but I am still wary of doing any financial work on it (internet banking, online shopping, etc) until I am assured there are no more tracker type viruses on it.

Is there anything else I should do, i.e. run HijackThis and post you the log?
0
 
LVL 22

Assisted Solution

by:optoma
optoma earned 1000 total points
ID: 26321483
Ok,
1-Attach Hijackthis logfile
http://go.trendmicro.com/free-tools/hijackthis/beta/HijackThis.msi

2-Run Eset online scanner
Check to "scan archives"

Under advanced options:
Have all three boxes checked

Attach its logfile
Location:C:\Program Files\EsetOnlineScanner\log.txt

Eset online scan http://www.eset.com/onlinescan/
0
 

Author Comment

by:y2jk
ID: 26321522
Thanks optoma. Will do, but won't be able to until tonight as I am at work at the moment.
0
 
LVL 22

Expert Comment

by:optoma
ID: 26321736
:)
0
 

Author Comment

by:y2jk
ID: 26327399
Here is the HihackThis log file:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 21:16:13, on 15/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Michael\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://as.photoprintit.de/ips-opdata/layout/default_cms01/activex/IPSUploader4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33ACA7F1-1FD4-443B-920A-8DF313E35224}: NameServer = 194.168.4.100,194.168.8.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11513 bytes
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 26327561
[X] - R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
[?] - O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://as.photoprintit.de/ips-opdata/layout/default_cms01/activex/IPSUploader4.cab
[?] - O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
[?] - O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
[X] - O24 - Desktop Component 0: (no name) - (no file)
0
 
LVL 22

Expert Comment

by:optoma
ID: 26327628
When Eset's scanner is finished, Attach its logfile.

Then re-run Hijackthis with a new logfile to attach. Few entries in it which we can get back to if Eset dos'nt resolve them :)
0
 

Author Comment

by:y2jk
ID: 26328438
Wow, that scan took a while. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b51064c0e0548e40825571b903d76cc0
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-15 09:26:29
# local_time=2010-01-15 09:26:29 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 8023 199882505 4565 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3753 3753 0 0
# scanned=309
# found=0
# cleaned=0
# scan_time=241
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b51064c0e0548e40825571b903d76cc0
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-15 11:31:38
# local_time=2010-01-15 11:31:38 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 8341 199882823 4883 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 4071 4071 0 0
# scanned=112017
# found=8
# cleaned=8
# scan_time=7431
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\31\3a71ea5f-612adffc      multiple threats (deleted - quarantined)      00000000000000000000000000000000      C
C:\Program Files\MSN Messenger\msimg32.dll      Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)      00000000000000000000000000000000      C
C:\Program Files\Windows Live\Messenger\riched20.dll      Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)      00000000000000000000000000000000      C
C:\Qoobox\Quarantine\C\Documents and Settings\Michael\Local Settings\Application Data\jymmku\ciaksysguard.exe.vir      Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined)      00000000000000000000000000000000      C
C:\Qoobox\Quarantine\C\Program Files\Uninstall Fun Web Products.dll.vir      Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)      00000000000000000000000000000000      C
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir      Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined)      00000000000000000000000000000000      C
C:\Qoobox\Quarantine\C\WINDOWS\system32\warning.html.vir      Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined)      00000000000000000000000000000000      C
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir      Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined)      00000000000000000000000000000000      C
0
 

Author Comment

by:y2jk
ID: 26328443
And here is the subsequent HijackThis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 23:35:32, on 15/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Michael\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} (IPSUploader4 Control) - https://as.photoprintit.de/ips-opdata/layout/default_cms01/activex/IPSUploader4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33ACA7F1-1FD4-443B-920A-8DF313E35224}: NameServer = 194.168.4.100,194.168.8.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11612 bytes
0
 
LVL 22

Assisted Solution

by:optoma
optoma earned 1000 total points
ID: 26328535
Thanks for those.
In Hijackthis, fix entries that Tolomir stated.

Then one more scanner(dosn't take to long!)
Hitman Pro http://www.surfright.nl/en/hitmanpro

Make note of any detections, if any
0
 

Author Comment

by:y2jk
ID: 26335902
OK, all done. The only thing noted was that Windows was using a proxy servre to connect to the internet. When I clicked the "Next" button, it said "repaired". I ran it a second time, just to check, and it said "No threats found".

Can I now assume that my pc is "clean" and that I am safe to do financial transactions on it?
0
 
LVL 22

Expert Comment

by:optoma
ID: 26336007
Yeah, all should be good now.

1Hit start,then run, type:
combofix /uninstall

2-You can uninstall Hitmanpro or leave it for its 30day trial period.

3-Get latest flash + java updates:
http://get.adobe.com/flashplayer/
http://www.java.com/

4-Get latest Windows Updates:
http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
0
 

Author Closing Comment

by:y2jk
ID: 31675261
Thank you so much for all the help and advice you have given me on this question.
0
 
LVL 22

Expert Comment

by:optoma
ID: 26339083
You're welcome.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question