|
|
|
How to remove FraudTool.Win32.Spywarebot etc from Restore folder
|
|
|
pgran
Newbie
|
6. July 2008 @ 23:08 |
Link to this message
|
Hello everyone,
Have spent most of today trying to clean up my PC (XP SP2) running various spyware and virus scans. Found out that I had unintentionally downloaded SpywareStop thinking it was a new version of SpyBot and want to get all of associated files off of my machine. (Devious little bugger that SpywareStop--can't believe I fell for it!)
I downloaded Spybot and then uninstalled SpywareStop. Not 100% sure, but it appears to be gone (I read somewhere that it's impossible to uninstall it). But both Kaspersky and the spyware scan built into Comcast's toolbar (which I ran as a lark to see how effective it is) are both finding some files in my Sys Restore folder that Spybot did not detect. Does anyone know how to get rid of these?
Here's the Kaspersky report on those files:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP113\A0121504.rbf
Infected: not-a-virus:FraudTool.Win32.SpywareBot.o skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0122490.rbf
Infected: not-a-virus:FraudTool.Win32.SpywareBot.m skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125436.dll
Infected: not-a-virus:FraudTool.Win32.SpywareStop.z skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125437.dll
Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.ei skipped
And here's what the Comcast scan detected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125436.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP135\A0125436.dll
I tried to research the FraudTool.Win32 files, but found next to nothing about them.
Thankfully, none of the scans picked up anything else except some cookies, items in NAV Internet Security quarantine and some unnecessary garbage in System StartUp.
I actually started all of this scanning because my system is too slow at startup. Takes a good 2 minutes before I can start running programs. Also if more than say 5 tabs are open in IE 7.0, it slows the whole system down and my machine starts whirring like a vaccuum cleaner on its last legs--and it's a reasonably new machine which should be able to handle it, esp when I'm not trying to run anything else at the same time.
Anyway, I feel that those files are somehow related to SpywareStop, but I'm not sure. If anyone can tell me the best course of action to remove them from my Restore folder, or whether I SHOULD remove them, I would really appreciate it.
Thanks!
Technology- It mostly works.
|
|
Advertisement
|
 |
|
|
|
pgran
Newbie
|
6. July 2008 @ 23:32 |
Link to this message
|
PS: I also dl'd SmitFraudFix from a link on this site. Should I consider it a coincidence that the minute I started the dl, Norton Internet Security detected IEDefender also trying to install itself? I'm reading on another website that SmitFraud is another name for the Zlob Trojan. It seemed that a lot of posters here recommended it, so that's why I downloaded it. Norton supposedly removed IEDefender, but now I'm concerned about whether SmitFraud is legit! I'm also thinking Spybot should have stopped this download as I tweaked IE settings there to prevent unauthorized changes to my browser.
Anyhow, the report is below.
SmitFraudFix v2.329
Scan done at 20:13:57.50, Sun 07/06/2008
Run from C:\Documents and Settings\Lucy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lucy
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lucy\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Lucy\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.76.178
DNS Server Search Order: 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.66.196
HKLM\SYSTEM\CS2\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{52886935-A4F0-4BA3-B9D4-352E8CD91947}: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.66.196
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Technology- It mostly works.
|
AfterDawn Addict
|
7. July 2008 @ 00:58 |
Link to this message
|
|
Hi pgran,
Assuming you are clean of malware, except the traces left in the System Restore, do the following to purge it.
Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can re-infect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK".
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
If your Anti Virus still finds virus traces, you may need to do some deeper cleaning..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
7. July 2008 @ 15:53 |
Link to this message
|
Hi 2OldGeek,
Thanks--I was going to do that, but wanted someone else to look at the scan logs and make sure it was the right thing. Did you happen to notice anything unusual in the SmitFraudFix scan? I'm not sure how to read it.
I re-ran a Norton full scan as well as SpyBot full scan last night. Neither found anything. I could re-do the Kapersky scan, but the scan log above took 2 hours to complete and those were the only suspicious files found yesterday afternoon. Think I'm safe to go for it, or should I dl and try some other programs first?
Technology- It mostly works.
|
AfterDawn Addict
|
7. July 2008 @ 16:04 |
Link to this message
|
Hey pgran,
I see nothing in your SmidFraud Log that would be detrimental.
Sounds like you got it but, if you are still leery, just post a HJT log and I will look it over..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
8. July 2008 @ 00:24 |
Link to this message
|
|
Will do, 2OG and will post as soon as I have a chance. Thanks much for the great assistance! If it weren't for user forums, even us Geeks In Training would be lost.
Technology- It mostly works.
|
|
pgran
Newbie
|
8. July 2008 @ 04:58 |
Link to this message
|
2OG: HijackThis log is below. I don't think it found anything.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:55:54, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/...cat-no-eula.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1149540429296
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12990 bytes
Technology- It mostly works.
|
AfterDawn Addict
|
8. July 2008 @ 06:08 |
Link to this message
|
|
Hey pgran,
You?re Clean but It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.
I recommend and use Avira AntiVir free.
Other than that, you?re good to go.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
8. July 2008 @ 14:41 |
Link to this message
|
|
2OG,
I'm running Norton Internet Security with virus protection--total system hog. What did you mean about not having a virus scanner?
Technology- It mostly works.
|
AfterDawn Addict
|
8. July 2008 @ 15:03 |
Link to this message
|
|
Sorry, pgran, it was 6am and I had been up all night. I was working 5 threads and got a little mixed up. I?m OLD, give me a break?.. LOL
You?re OK, do you have any problems??? If not you?re good to go..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
8. July 2008 @ 15:12 |
Link to this message
|
LOL no worries! Had me nervous there for a minute. I'm going to run one last Spybot and Norton full scan (paranoia!), then I'll create a new restore point and run cleanup of the old ones.
I was now just checking through my Norton Security settings and found that it had been set NOT to scan the system volume folder. Hmmm, wonder how THAT happened?
Technology- It mostly works.
|
AfterDawn Addict
|
8. July 2008 @ 15:23 |
Link to this message
|
OK, hang in there and Safe Surfing?..
Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK".
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
This is a great first line of defense. Check it out:
? MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
8. July 2008 @ 15:29 |
Link to this message
|
Originally posted by This is a great first line of defense. Check it out:
? MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
2OG[/quote:
Thanks for the tip, I'll check it out. I think Spybot has something similar built into the IE tweaks settings.
Next up, I need to figure out what is slowing my machine down at startup..besides all this anti-spy, anti-malware, anti-virus stuff I have loaded!
Technology- It mostly works.
|
AfterDawn Addict
|
8. July 2008 @ 15:42 |
Link to this message
|
Yes, SB has it but not as complete and when you install MVPS, SB will merge with it and if it has any new sites they will be added to the list. MVPS updates about 1 or 2 times a month.
I have a Host file that contains about 70,000 blocked sites and I have never got a virus/Trojan from surfing the net. If a site is Bad, you won?t be able to connect to it?.
Like I said check it out. Read the info on the site I gave you.
I use HostXpert to manage my Host file, it?s available on the MVPS site also.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
8. July 2008 @ 16:15 |
Link to this message
|
Ok, I managed to manually replace the original Hosts file with the MVPS Hosts file (it wouldn't do it automatically). But I'm having trouble understanding whether or not I need to change the DNS client service setting. It's currently set to Automatic. The instructions for getting this set up aren't terribly clear.
Technology- It mostly works.
|
|
pgran
Newbie
|
8. July 2008 @ 16:21 |
Link to this message
|
PS: If it makes any difference, I do occasionally need to upload/publish webpages, etc. If I disable the DNS client service, will that prevent me from uploading to my sites? I also use Carbonite for file backup. Below is the log of all services running if it helps. I know there are services running I don't need/use, but it's hard for me to know which ones to disable.
Image Name PID Services
========================= ====== =============================================
System 4 N/A
SMSS.EXE 556 N/A
CSRSS.EXE 872 N/A
WINLOGON.EXE 896 N/A
SERVICES.EXE 940 Eventlog, PlugPlay
LSASS.EXE 952 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 1140 DcomLaunch, TermService
SVCHOST.EXE 1208 RpcSs
SVCHOST.EXE 1332 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, w32time, winmgmt,
wscsvc, wuauserv, WZCSVC
SVCHOST.EXE 1496 Dnscache
SVCHOST.EXE 1584 LmHosts, RemoteRegistry, SSDPSRV, WebClient
ccSvcHst.exe 1660 ccEvtMgr, ccSetMgr, CLTNetCnService,
LiveUpdate Notice
explorer.exe 2004 N/A
LEXBCES.EXE 656 LexBceS
LEXPPS.EXE 684 N/A
spoolsv.exe 728 Spooler
AluSchedulerSvc.exe 1748 Automatic LiveUpdate Scheduler
CarboniteService.exe 1828 CarboniteService
MDM.EXE 1848 MDM
NPROTECT.EXE 264 NProtectService
NOPDB.exe 428 Speed Disk service
sprtsvc.exe 452 sprtsvc_dellsupportcenter
symlcsvc.exe 500 Symantec Core LC
wdfmgr.exe 540 UMWdf
FXSSVC.EXE 2292 Fax
WMIPRVSE.EXE 2680 N/A
smax4pnp.exe 3096 N/A
ALG.EXE 3300 ALG
DMXLauncher.exe 3320 N/A
tfswctrl.exe 3708 N/A
hpwuSchd2.exe 4080 N/A
ccSvcHst.exe 4084 N/A
hkcmd.exe 1608 N/A
igfxpers.exe 1684 N/A
ISUSPM.exe 1892 N/A
realsched.exe 2340 N/A
sprtcmd.exe 2348 N/A
CarboniteUI.exe 2756 N/A
GoogleDesktop.exe 2768 N/A
GoogleToolbarNotifier.exe 2776 N/A
TeaTimer.exe 2792 N/A
AcroTray.exe 4060 N/A
DLG.exe 3972 N/A
TrueAssistant.exe 2808 N/A
OUTLOOK.EXE 1492 N/A
WINWORD.EXE 124 N/A
iexplore.exe 1704 N/A
GoogleDesktop.exe 2864 N/A
Navw32.exe 3080 N/A
CMD.EXE 1816 N/A
TASKLIST.EXE 3584 N/A
C:\Documents and Settings\Lucy>
Technology- It mostly works.
This message has been edited since posting. Last time this message was edited on 8. July 2008 @ 16:32
|
AfterDawn Addict
|
8. July 2008 @ 16:34 |
Link to this message
|
|
oops wrong thread
hehe I was right the first time, just thought I was wrong. My first mistake lol
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 8. July 2008 @ 16:50
|
|
pgran
Newbie
|
8. July 2008 @ 16:37 |
Link to this message
|
|
Perfect! Thanks again for all your help. I threw my back out on Saturday at work, so I decided to use the downtime to get my machine straightened out. The more I learn, the more I don't know anything it would seem.
Technology- It mostly works.
|
AfterDawn Addict
|
8. July 2008 @ 16:48 |
Link to this message
|
|
I have been working about 10 different threads on 3 different forums and that?s too much for an OLD Guy.. I gonna knock off some for a while, but this will be open if you have any more questions..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
pgran
Newbie
|
9. July 2008 @ 01:33 |
Link to this message
|
Originally posted by 2oldGeek:
I have been working about 10 different threads on 3 different forums and that?s too much for an OLD Guy.. I gonna knock off some for a while, but this will be open if you have any more questions..
2OG
Hi 2OG, good that you actually rest sometimes! I just got home and reset the RP and flushed the old ones before I left. Didn't have time to do any extra scanning for those files, so I ran Kapersky on the System Volume Information folder only--no nasties found. None in Comcast's Pest Patrol either, however that program is still detecting traces of Spyware stop in some of the registry (?) keys as follows:
"hkey_current_user\software\spywarestop\settings" value "alldrives" data "0"
"hkey_current_user\software\spywarestop\settings" value "scandeep" data "0"
I realize it's often impossible to completely remove all traces of a program. What do you think about these two hits? None of the other scanners I have picked it up.
Technology- It mostly works.
|
|
pgran
Newbie
|
9. July 2008 @ 02:00 |
Link to this message
|
|
PS: If you're still feeling generous towards my non-emergency, what do you reckon about the Active Connections log below? Anything troubling here? Ran from CMD --> netstat -ano to see what is listening.
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1244
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 1400
TCP 67.188.177.170:139 0.0.0.0:0 LISTENING 4
TCP 67.188.177.170:1235 77.67.126.83:80 CLOSE_WAIT 2424
TCP 67.188.177.170:1296 80.190.154.130:80 CLOSE_WAIT 2884
TCP 67.188.177.170:1299 209.68.48.119:80 CLOSE_WAIT 3256
TCP 67.188.177.170:1300 209.68.48.119:80 CLOSE_WAIT 3256
TCP 127.0.0.1:668 0.0.0.0:0 LISTENING 448
TCP 127.0.0.1:668 127.0.0.1:1049 ESTABLISHED 448
TCP 127.0.0.1:1037 0.0.0.0:0 LISTENING 3180
TCP 127.0.0.1:1049 127.0.0.1:668 ESTABLISHED 2744
TCP 127.0.0.1:1052 0.0.0.0:0 LISTENING 2044
TCP 127.0.0.1:4664 0.0.0.0:0 LISTENING 2884
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 956
UDP 0.0.0.0:4500 *:* 956
UDP 67.188.177.170:123 *:* 1380
UDP 67.188.177.170:137 *:* 4
UDP 67.188.177.170:138 *:* 4
UDP 67.188.177.170:1900 *:* 1572
UDP 127.0.0.1:123 *:* 1380
UDP 127.0.0.1:1102 *:* 3256
UDP 127.0.0.1:1900 *:* 1572
Technology- It mostly works.
|
|
Advertisement
|
|
|
AfterDawn Addict
|
9. July 2008 @ 02:30 |
Link to this message
|
Traces can?t do anything.. They are picked up by the wannabe malware scanners to get you to buy their paid version. Just FP?s (False Positives).
The only two scanners used by the Malware removal sites right now are SuperAntiSpyware and Malwarebytes? Anti-Malware and if either one of those finds anything, it will delete it? Anything left can be removed with the bigger guns like combofix ( not to be used by a novice ).
You have a barrel full of programs that are listening, all the time. With a good firewall installed, they don?t hear anything.. : )
If you have a problem with malware then run one of the two scanners I mentioned and if that don?t clear it, just drop me a log??? ; )
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
