Jump to content


Photo

Spyware or Malware on Win XP?


  • This topic is locked This topic is locked
20 replies to this topic

#1 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2009 - 05:40 PM

Hello,

I received a strange pop-up with the message something like: "Warning your computer may be infected" when I clicked on a link from within the Google results to this site: www.xxxallsaints535.org/images/showthread.php?t=29740 <please do not post a link to bad site.

Then it jumped to another screen which looked as though it was running some sort of anti-virus scan, but none that I remember installing on my PC.

I closed down that window and came to this site because I don't know why it happened and whether I've been hijacked or not. I have used this site before, I have read the forum FAQ, followed the instructions including running Spybot which fixed 24 problems. Here is my MBAM report, Kaspersky report and HJT log:

Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 3

06/07/2009 08:03:05
mbam-log-2009-07-06 (08-03-05).txt

Scan type: Quick Scan
Objects scanned: 63152
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
________________________________________________________________________________
____________

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 06, 2009 20:43:38
Records in database: 2433433
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 60562
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 03:05:16

No malware has been detected. The scan area is clean.
The selected area was scanned.
________________________________________________________________________________
____________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:06:27, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Iomega\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {1B735B98-8010-11D5-AD0B-00500463D885} (SearchCD Control) - http://www.partsaren...ns/IMIESRCH.cab
O16 - DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} (GrafixViewControl) - http://www.partsaren...ins/GFXVIEW.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130447109812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130484555468
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DA8F1B7-0B14-49CC-B3EF-260941BC1965}: NameServer = 194.72.9.38 194.74.65.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DA8F1B7-0B14-49CC-B3EF-260941BC1965}: NameServer = 194.72.9.38 194.74.65.68
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O24 - Desktop Component 0: (no name) - http://photos-785.ll...724362_9134.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Admin/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 10028 bytes

Edited by nasdaq, 07 July 2009 - 10:00 AM.
Bad link obfuscated.


#2 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 07 July 2009 - 10:36 AM

Hi radcox!!.. :).

I received a strange pop-up with the message something like: "Warning your computer may be infected" when I clicked on a link from within the Google results to this site: ...

Then it jumped to another screen which looked as though it was running some sort of anti-virus scan, but none that I remember installing on my PC.

I closed down that window and came to this site because I don't know why it happened and whether I've been hijacked or not.

That's why it's good to take a closer look at search results before clicking any link... If you see that a link is going to take you to a page with a such suspisious address, it's better not to click it...
Also, what you described is a common way rogue antivirus programs are trying to get into your system... They lure you to believe your computer is infected and you have to install their 'great, effective' antivirus program... However, in most cases, if you don't download an installation file and don't run it, nothing bad happens... That's why I believe that your computer is not infected... Also, your logs look good to me - I will ask for another scan, though, to take a deeper look... :thumbsup:

Firstly,
Please download TFC.exe - Temp File Cleaner by OldTimer:
  • Save it to your Desktop.
  • Close any open windows, save your work,
  • Double click the TFC icon to run the program,
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process,
  • Allow TFC to run uninterrupted,
  • The program should not take long to finish it's job,
  • Once it's finished, click OK to reboot.

Secondly,
You're running AVG Anti-Spyware 7.5... This program is very outdated and is no longer available as a stand-alone tool...
Go to Start > Control Panel double-click on Add or Remove Programs and uninstall AVG Anti-Spyware 7.5...

Also, I see that you're running two other antispyware real-time guards: Ad-Aware's Ad-Watch and Spybot - Search & Destroy's TeaTimer... This is not recommended as they can conflict with each other...
I suggest you disable one of them... If I may propose something, I'd disable Ad-Watch (disable TeaTimer if you paid for Ad-Aware... :)..)... Instructions for disabling those programs can be found in this thread...

Also, your Adobe Acrobat Reader is outdated... This can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):
http://www.adobe.com.../readstep2.html

Finally, to take a deeper look:
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed.
    There shouldn't be any scheduled antivirus scans running while the scan is being performed.
    Do not use your computer for anything else during the scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click Yes to the Optional_Scan
  • >>Follow the instructions that pop up for posting the results.<<
  • Close the program window, and delete the program from your Desktop.

Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2009 - 03:14 PM

Hi Snemelk,

Thanks for your help. I have run TFC, uninstalled AVG, disabled Ad-Watch (should I remove it as well? Should I also disable Online Armor or should I just leave that as it is?), updated Acrobat Reader and run DDS. Here is one of the logs but I don't know how to attach the other one:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Admin at 19:46:07.06 on 08/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.254.80 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Iomega\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
C:\Documents and Settings\Admin\Desktop\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CAPON] c:\windows\system32\spool\drivers\w32x86\3\CAPONN.EXE
mRun: [DSLSTATEXE] c:\program files\bt voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\bt voyager 105 adsl modem\dslagent.exe
mRun: [Drag'n'Drop_Autolaunch] "c:\program files\iomega\iomega hotburn pro\Autolaunch.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1B735B98-8010-11D5-AD0B-00500463D885} - hxxp://www.partsarena.com/baxi/Plugins/IMIESRCH.cab
DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} - hxxp://www.partsarena.com/baxi/Plugins/GFXVIEW.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130447109812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130484555468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {0DA8F1B7-0B14-49CC-B3EF-260941BC1965} = 194.72.9.38 194.74.65.68
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\o6f7q2ew.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-9-17 11840]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-9-20 80584]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-9-20 32456]
R1 OAnet;OAnet;c:\windows\system32\drivers\oanet.sys [2008-9-20 28872]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-9-17 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-9-17 151297]
R2 RapidPort;RapidPort;c:\windows\system32\drivers\CAPLPTN.SYS [2005-10-27 22912]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2008-9-20 5435968]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-9-17 52032]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-07-06 23:04 <DIR> --d----- c:\program files\Trend Micro
2009-07-05 23:15 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-05 23:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-05 23:11 <DIR> --d----- c:\program files\Lavasoft

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-07-02 17:02 30,040 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2008-09-07 21:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080825\index.dat
2008-09-07 21:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat
2008-09-13 21:01 8,964,128 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 19:49:48.96 ===============


Best wishes,

Radcox

#4 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 08 July 2009 - 05:22 PM

Hi again radcox and thank you for the log!.. :).

and run DDS. Here is one of the logs but I don't know how to attach the other one

I see... No need for that second log, though... This shows enough info...

disabled Ad-Watch (should I remove it as well? Should I also disable Online Armor or should I just leave that as it is?

No, you can keep Ad-Aware and scan with it from time to time... :). Malwarebytes' Anti-Malware is a better program (in my opinion), though, and you can use it instead Ad-Aware (I'm not sure if your copy is up-to-date?..)
You can keep Online Armor Firewall - it's a good program... :)..

Your DDS log indicates your antivirus program is outdated...
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

When you boot up, Avira should give you a possibility to update... If it doesn't, please open Avira control panel from the system tray or start menu, and perform an update of the program... Afterwards, please perform a full system scan...

Your DDS log looks ok to me... :thumbsup:

There is one entry messed up, though...

LSA: Notification Packages = scecli scecli scecli scecli scecli scecli

The easiest way to fix it is uninstalling Ad-Aware + registry fix... So, go to Start > Control Panel double-click on Add or Remove Programs and uninstall Ad-Aware...

Then,

Copy and paste this text IN BOLD into a text editor such as Notepad.

Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Then, you may reinstall Ad-Aware, if you want to... :).

Also, we need to update Java:

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version.

Also, for a final check-up:

Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

:thumbup:
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 09 July 2009 - 04:08 PM

Hi Snemelk,

Thanks again - I have done all those things and here is the RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/09 21:58
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4579000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF97A1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mc21.tmp
Image Path: C:\WINDOWS\TEMP\mc21.tmp
Address: 0xF98F1000 Size: 2560 File Visible: No Signed: -
Status: -

Name: OADriver.sys
Image Path: C:\WINDOWS\system32\drivers\OADriver.sys
Address: 0xF4723000 Size: 143360 File Visible: No Signed: -
Status: -

Name: OAmon.sys
Image Path: C:\WINDOWS\system32\drivers\OAmon.sys
Address: 0xF9351000 Size: 40960 File Visible: No Signed: -
Status: -

Name: OAnet.sys
Image Path: C:\WINDOWS\system32\drivers\OAnet.sys
Address: 0xF9341000 Size: 36864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3AB3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\antispam.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\firewall.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\fwdata.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\history.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\IPRanges.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\NoteBook.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\NoteBook.pak
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\oacached.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\programs.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\reference.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\SentList.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\server.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\signs.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\sites.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Tall Emu\Online Armor\unins000.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\OADriver.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\OAmon.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\oanet.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\spybot - search & destroy\proccache.sbc
Status: Size mismatch (API: 55442, Raw: 55408)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472fc90

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47300c0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472f580

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47315d0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4732170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472f440

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47301f0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472dfd0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472dbd0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf982f7d4

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472ee10

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731c30

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731050

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47329e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47315b0

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47315c0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472fb00

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4732d50

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731990

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731200

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf982f7c0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472de00

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf982f7c5

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472fe00

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731590

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47315a0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731210

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472f7d0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47313d0

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472f1c0

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731580

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472ecc0

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf4731e90

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf47324d0

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472fa40

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472f300

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472f060

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472ef40

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf982f7cf

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf472eb50

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf982f7ca

==EOF==


Radcox

#6 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 09 July 2009 - 05:16 PM

Hi again!.. :).

Thanks, that log looks ok to me!!..

Please delete TFC, DDS, Fix.reg and RootRepeal (+settings.dat) from your Desktop...

Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. :thumbup:

Also, I recommend you to read Tony Klein's excellent article: How I got Infected in the First Place?

:wave:
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 10 July 2009 - 02:00 AM

Hi - excellent!

I have deleted those files - should I also uninstall/delete Hijack This?

And not sure whether I need to keep S&D resident - I have Online Armor - not sure if they're doing the same job or different?

Also, I now have a problem with IE - it doesn't work the first two times I try to open it and I have to force it to quit. It only works the third time I open it.

Thanks,

Radcox

#8 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 10 July 2009 - 06:22 AM

Hi again!!.. :).

I have deleted those files - should I also uninstall/delete Hijack This?

No, not necessarily...

And not sure whether I need to keep S&D resident - I have Online Armor - not sure if they're doing the same job or different?

Online Armor is a firewall, in the first place... However, from what I can see, it can also block some applications from running... Spybot's TeaTimer, though, monitors processes and some places in the registry and asks you whether to accept a change in registry or block a known malicious application from running... I would say, these two programs complement each other... Anyway, it's your decision if you want to keep Spybot's resident protection - if you don't mind clicking on TeaTimer's pop-ups when there is a change in the registry, keep it... :)..

Also, I now have a problem with IE - it doesn't work the first two times I try to open it and I have to force it to quit. It only works the third time I open it.

That's strange... When have it started happening??..
Since you have version 7.0 of Internet Explorer installed, I would advise upgrading to version 8.0... It should be available from Windows Update or directly from this site: http://www.microsoft...er/default.aspx
Let me know if that new version works fine... :wave:
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 11 July 2009 - 04:33 AM

Hi Snemelk,

IE started playing up after I'd done TFC or DDS - can't remember which.

I have upgraded to IE 8 and still have the same problem.

Best wishes,

Radcox

#10 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 12 July 2009 - 03:49 AM

Hi Snemelk,

Since my last post the IE start-up issue has resolved itself - I seem to have one issue around Google Notifier on PC start-up but I will see if that resolves and post again later today.

Thanks in the meantime,

Radcox

#11 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 12 July 2009 - 01:53 PM

Hi Snemelk,

The problem I have on start up since installing IE 8 is that my firewall informs me (twice) that google wants to become the default homepage for IE and I can't seem to teach my firewall that this is fine (every time I "allow" and tell it to "remember" but it asks each time.)

Thanks,

Radcox

#12 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 15 July 2009 - 12:43 AM

Hi radcox,

snemelk is away and asked for someone to take over this log.


Since the issue is with a particular firewall, I recommend taking it up with their support forum; they probably have more insight into setting rules for their product than I do.

Let me know how it goes.

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#13 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 July 2009 - 04:00 AM

Hi

Thanks for helping me out I really appreciate it. I have uninstalled IE8 and reverted to IE 7 which is now working OK apart from being very slow.

I have run S&D which found "statcounter" and I asked it to fix this.

I'm not sure whether further investigation is needed now and I would welcome your advice.

Best wishes,

Radcox

#14 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 15 July 2009 - 05:03 PM

"statcounter" is just a cookie; nothing to be alarmed about...

Let's investigate potential causes of slowness.


Please register (it's free, don't worry) with PCPitStop and run the full tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#15 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 July 2009 - 02:47 PM

Hi Screen317,

Here is my results page: http://www.pcpitstop...?conid=22396555

Radcox

#16 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 17 July 2009 - 03:50 PM

Hello,


PCPitStop noted several things that you can do to improve the shape your computer is in.

Pay particular attention to these items (in this order):


• Delete Temporary Files:

Please download CCleaner and save it to your desktop.
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Please do NOT run a scan yet!
Now, open CCleaner:
  • Click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • CHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


• Reduce System Restore space (Drive C):
Right click My Computer and click Properties. Select the System Restore tab, and move the slider to 3%. You're pretty much wasting disk space otherwise.


• Defragment files (Drive C)
Defragmenting is a must. It's one of the large reasons for system slowdowns. I use JkDefrag to defragment. You can use it forever. I recommend installing it and defragmenting as soon as possible


• Update outdated device drivers:
Right click My Computer, click Properties, click the Hardware tab, and then click Device Manager. Update the drivers for your Sound card, Video card, Ethernet card. Use the trial of Driver Alert from PCPitStop (click • Update outdated device drivers), to see which drivers should be updated.


• Install more memory:
Your computer only has 256 MB of RAM. Upgrading RAM is one of the easiest ways to speed up your computer, for a relatively cheap price. 1GB of RAM is recommended for optimal performance of Windows XP.


Also take the time to take a look at the other tips PCPitStop reported. I've just highlighted some of the more important ones.


Let me know how it goes.

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#17 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 July 2009 - 09:41 AM

Hi,

I have done all those things. Drivers all up to date. I don't understand the other things in the PCPit Stop report. I have no idea what RAM looks like so if installing memory has to be done by physically opening the PC that one will have to wait.

Do you think I am free of spyware and other nasties now?

Thanks,

Radcox

#18 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 18 July 2009 - 02:34 PM

Hi Radcox,

Yes installing RAM requires physically opening the case. In my opinion, the upgrade will do a lot of good for you, so I highly recommend considering it in the future when you have time.


Aside from that, yes it appears your system is clean of malware. Good work! :thumbup:


If you haven't already, please delete RootRepeal.


Take care. :)

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


#19 radcox

radcox

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 July 2009 - 06:29 PM

Screen317,

Thank you very much for your help - I really appreciate it.

Could you please let me know if I need to do anything to close this issue?

In case I don't hear from you, take care and best wishes,

Radcox

#20 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 18 July 2009 - 07:51 PM

Don't worry. I'll take care of closing the topic..

:wave:

Please consider donating to help support the continued prompt and excellent services of this site.


#21 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,813 posts

Posted 18 July 2009 - 07:51 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Please consider donating to help support the continued prompt and excellent services of this site.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button