How to clean an Infected PC

Define Infected PC:

Well, my definition of an Infected computer is that it has some virus or worm or trojan or some spyware. There may be a case that it is infected with all of these….god bless that user

How do you know if you are infected?

Although there is no hard and fast rules, but the most common symptoms of an infection are:

Your PC get very slow overnight or in 2-3 days.
Your hard disk space magically get filled up.
The default homepage of your browser changes to some weird address.
You get Popups or alerts randomly.
You can NOT enable the option to “view hidden and system files”
When you click your Drive Icon or USB drive icon, you get a “Open With” dialog box.
You get some unknown and random Toolbar installed on your browser.

How to clean the PC?

Now thats a million dollar question I understand installing an Antivirus software may slow down your PC by a fraction, but trust me it is still very important before you go online. In fact a Antivirus alone is ineffective in todays Web 2.0 world. You need Antivirus, AntiSpyware and a basic firewall. I would advice you to use AVG Free 8

However if you are already infected, chances are you will not be allowed to download and / or update any Antivirus software. But no worries, thanks to Combofix. It is an amazing free tool to clean up your PC. Just run it and within 10 mins your PC would be clean as new. Once combofix has done its job, dont forget to install and update an Antivirus software (preferably AVG FREE .

May the forces of AVG be with you

PS: If you found this post helpful, you may want to try to “How to speed up your PC“.

If you liked my post, feel free to subscribe to my rss feeds

Money Making Options

Monetise your blog with text ads

Post meta

This entry was written by rochakchauhan and posted on 4 September 2008 at 10:11 AM and filed under Technology, Tips and Tricks. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment(Latest is displayed first) or leave a trackback: Trackback URL.

Share with others

Post How to clean an Infected PC to digg.

Post How to clean an Infected PC to Reddit

4 Comments so far (Add 1 more)

Hi Nadia,

Well the Combofix has done its job, Your PC is clean now !

This file is nothing but a log file. Take is more like a report card. As you can see, it tells you which files have been deleted from your system and which files created after the previous scan.

Now. I would suggest that you install some good antivirus and update it ASAP.

Take care,
Rochak Chauhan

1. rochakchauhan on September 6th, 2008 at 8:59 AM
Hi Rochak,

Here is my file after the scan completed. Please le tme know what do I do now.

Thanks for your help.

ComboFix 08-09-04.09 - Nadia Olson 2008-09-05 13:21:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1412 [GMT 2:00]
Running from: C:\Documents and Settings\Nadia Olson\My Documents\Downloads\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\bafxtokn.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\dbfb.dll
C:\WINDOWS\system32\sAdLknnn.ini
C:\WINDOWS\system32\sAdLknnn.ini2
C:\WINDOWS\system32\xmjafuld.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-05 13:01 . 2006-04-12 10:40 270,336 –a—— C:\WINDOWS\system32\cximagecrt.dll
2008-09-05 13:00 . 2008-09-05 13:01 d——– C:\Program Files\Rohos
2008-09-03 16:17 . 2008-09-04 13:46 d——– C:\WINDOWS\system32\CatRoot2
2008-09-03 15:38 . 2008-09-03 15:38 d——– C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-03 14:45 . 2008-09-03 14:45 d——– C:\Program Files\Malwarebytes’ Anti-Malware
2008-09-03 14:45 . 2008-09-03 14:45 d——– C:\Documents and Settings\Nadia Olson\Application Data\Malwarebytes
2008-09-03 14:45 . 2008-09-03 14:45 d——– C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 14:45 . 2008-09-02 00:16 38,528 –a—— C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 14:45 . 2008-09-02 00:16 17,200 –a—— C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 14:01 . 2008-09-03 14:01 d–h—– C:\WINDOWS\PIF
2008-09-03 13:01 . 2007-09-06 00:22 289,144 –a—— C:\WINDOWS\system32\VCCLSID.exe
2008-09-03 13:01 . 2006-04-27 17:49 288,417 –a—— C:\WINDOWS\system32\SrchSTS.exe
2008-09-03 13:01 . 2008-05-29 09:35 86,528 –a—— C:\WINDOWS\system32\VACFix.exe
2008-09-03 13:01 . 2008-05-18 21:40 82,944 –a—— C:\WINDOWS\system32\IEDFix.exe
2008-09-03 13:01 . 2008-08-14 21:52 82,432 –a—— C:\WINDOWS\system32\IEDFix.C.exe
2008-09-03 13:01 . 2008-08-18 12:19 82,432 –a—— C:\WINDOWS\system32\404Fix.exe
2008-09-03 13:01 . 2003-06-05 21:13 53,248 –a—— C:\WINDOWS\system32\Process.exe
2008-09-03 13:01 . 2004-07-31 18:50 51,200 –a—— C:\WINDOWS\system32\dumphive.exe
2008-09-03 13:01 . 2007-10-04 00:36 25,600 –a—— C:\WINDOWS\system32\WS2Fix.exe
2008-09-03 12:31 . 2008-09-03 12:31 d——– C:\Program Files\PcPrivacySoftware.com
2008-09-03 11:54 . 2008-09-03 15:59 d——– C:\Documents and Settings\All Users\Application Data\SITEguard
2008-09-03 11:53 . 2008-09-03 11:53 d——– C:\Program Files\Common Files\iS3
2008-09-03 11:53 . 2008-09-03 16:24 d——– C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-09-01 13:25 . 2008-09-01 13:25 d——– C:\Program Files\CCleaner
2008-09-01 10:59 . 2008-09-01 10:59 d——– C:\Program Files\Alwil Software
2008-09-01 09:49 . 2008-09-01 09:49 d——– C:\Program Files\K-Lite Codec Pack
2008-08-31 20:51 . 2008-08-31 20:51 d——– C:\Program Files\Tools
2008-08-31 20:51 . 2008-08-31 20:51 d——– C:\Program Files\Setup
2008-08-31 20:51 . 2008-08-31 20:51 d——– C:\Program Files\Manual
2008-08-31 18:38 . 2008-08-31 18:38 d——– C:\Program Files\Windows Defender
2008-08-31 18:38 . 2008-08-31 18:38 d——– C:\Documents and Settings\Nadia Olson\Application Data\Sammsoft
2008-08-31 18:37 . 2008-08-31 18:38 d——– C:\Program Files\Advanced Registry Optimizer
2008-08-31 18:37 . 2008-08-31 18:37 d——– C:\Documents and Settings\Nadia Olson\Application Data\HouseCall 6.6
2008-08-31 14:48 . 2008-08-31 18:35 d——– C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-31 11:30 . 2008-08-31 18:35 d——– C:\Program Files\AskBarDis
2008-08-31 10:39 . 2008-08-31 18:36 d——– C:\Program Files\Advanced Registry Optimizer(2)
2008-08-31 10:39 . 2008-08-31 18:36 d——– C:\Documents and Settings\Nadia Olson\Application Data\Sammsoft(2)
2008-08-30 20:23 . 2008-08-31 18:37 d——– C:\Documents and Settings\Nadia Olson\Application Data\Spyware Terminator
2008-08-30 18:30 . 2008-08-31 18:37 d——– C:\Program Files\Windows Live Safety Center
2008-08-27 15:57 . 2008-08-27 15:57 4,207,584 –a—— C:\Documents and Settings\Front view of House for Sale (2).jpg
2008-08-27 15:56 . 2008-08-27 15:56 964,909 –a—— C:\Documents and Settings\Front view of House for Sale.jpg
2008-08-26 16:46 . 2008-08-31 18:38 d——– C:\Program Files\Windows Defender(2)
2008-08-25 09:46 . 2008-08-25 09:46 5,769 –a—— C:\WINDOWS\system32\machpcdg.dll
2008-08-25 09:07 . 2008-09-01 09:26 5,512 –a—— C:\WINDOWS\system32\tmp.reg
2008-08-24 19:28 . 2008-03-02 03:28 206,608 –a—— C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-08-24 08:23 . 2008-08-24 08:23 5,769 –a—— C:\WINDOWS\system32\tfjcevno.dll
2008-08-23 22:42 . 2008-08-23 22:42 5,759 –a—— C:\WINDOWS\system32\jlpovhpg.dll
2008-08-22 12:47 . 2008-08-22 12:47 d——– C:\Program Files\XP Codec Pack
2008-08-16 18:18 . 2008-08-16 18:18 d——– C:\Program Files\Sun
2008-08-13 15:37 . 2008-05-01 16:33 331,776 ——— C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 15:36 . 2008-04-11 21:04 691,712 ——— C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-06 13:20 . 2008-08-07 12:00 d——– C:\Program Files\EasyVideoConvert
2008-08-06 13:20 . 1999-09-10 12:06 45,056 –a—— C:\WINDOWS\system32\WNASPI32.DLL
2008-08-06 13:20 . 1999-09-10 12:06 25,244 –a—— C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-08-06 13:20 . 1999-09-10 12:06 5,600 –a—— C:\WINDOWS\system\WINASPI.DLL
2008-08-06 13:20 . 1999-09-10 12:06 4,672 –a—— C:\WINDOWS\system\WOWPOST.EXE
2008-08-05 08:57 . 2008-08-05 08:57 d——– C:\WINDOWS\system32\Lang
2008-08-05 08:57 . 2006-11-10 09:25 319,456 –a—— C:\WINDOWS\system32\difxapi.dll
2008-08-05 08:56 . 2008-08-05 08:56 d——– C:\Documents and Settings\Nadia Olson\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 21:26 ——— d—–w C:\Documents and Settings\Nadia Olson\Application Data\skypePM
2008-09-05 21:25 ——— d—–w C:\Documents and Settings\Nadia Olson\Application Data\Skype
2008-09-05 21:24 ——— d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-05 21:23 0 —-a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-09-05 21:23 0 —-a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-09-05 10:48 ——— d—–w C:\Program Files\7-Zip
2008-09-04 15:13 ——— d—–w C:\Program Files\Dl_cats
2008-09-04 11:30 ——— d—–w C:\Program Files\Trend Micro
2008-09-03 09:46 ——— d—–w C:\Program Files\MSECache
2008-09-02 16:58 ——— d—–w C:\Documents and Settings\Nadia Olson\Application Data\uTorrent
2008-09-01 11:25 ——— d—–w C:\Program Files\Yahoo!
2008-08-31 18:02 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-31 18:00 ——— d—–w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-27 06:57 ——— d–h–w C:\Program Files\InstallShield Installation Information
2008-08-23 15:49 ——— d—–w C:\Program Files\Apple Software Update
2008-08-21 06:33 ——— d—–w C:\Program Files\Microsoft Silverlight
2008-08-16 16:17 ——— d—–w C:\Program Files\Java
2008-08-11 08:57 3,350 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-06 13:08 ——— d—–w C:\Program Files\MyPublisher
2008-08-02 11:57 ——— d—–w C:\Documents and Settings\Nadia Olson\Application Data\vlc
2008-08-02 11:53 ——— d—–w C:\Program Files\VideoLAN
2008-08-02 11:00 ——— d—–w C:\Program Files\iTunes
2008-08-02 10:59 ——— d—–w C:\Program Files\iPod
2008-07-30 09:04 ——— d—–w C:\Documents and Settings\Guest\Application Data\MSN Search Toolbar
2008-07-30 08:54 ——— d—–w C:\Documents and Settings\Guest\Application Data\GTek
2008-07-27 10:15 ——— d—–w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-27 09:52 ——— d—–w C:\Program Files\DVD Shrink
2008-07-27 09:52 ——— d—–w C:\Program Files\DVD Decrypter
2008-07-26 12:09 ——— d—–w C:\Program Files\Digital Line Detect
2008-07-26 11:46 ——— d—–w C:\Program Files\Common Files\Symantec Shared
2008-07-26 11:45 ——— d—–w C:\Program Files\ItsDeductibleEX
2008-07-26 11:43 ——— d—–w C:\Program Files\Dell
2008-07-26 11:22 ——— d—–w C:\Program Files\Western Digital Technologies
2008-07-25 09:21 65,936 —-a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2008-07-25 09:21 333,328 —-a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-07-25 09:06 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-20 09:54 ——— d—–w C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-07-18 18:10 ——— d—–w C:\Program Files\QuickTime
2008-07-18 17:08 36,368 —-a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-07-18 17:08 205,328 —-a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-07-18 16:51 1,195,448 —-a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-07-18 08:51 ——— d—–w C:\Program Files\MSN Messenger
2008-07-17 21:06 ——— d—–w C:\Program Files\Microsoft Office Outlook Connector
2008-07-17 19:14 ——— d—–w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-17 10:26 ——— d—–w C:\Program Files\Microsoft
2008-07-15 09:16 ——— d—–w C:\Program Files\Google
2008-07-09 10:35 ——— d—–w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-08 15:54 ——— d—–w C:\Documents and Settings\Nadia Olson\Application Data\Uniblue
2008-07-08 09:08 ——— d—–w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-07-08 09:04 ——— d—–w C:\Program Files\Common Files\LogiShrd
2008-07-08 09:03 127,034 ——r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-07-08 09:03 ——— d—–w C:\Program Files\Logitech
2008-07-08 09:02 ——— d—–w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-07 20:26 253,952 —-a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ——w C:\WINDOWS\system32\dllcache\es.dll
2008-07-07 11:31 22 —-a-w C:\Program Files\WinRar v3.8.x Patch.zip
2008-06-24 16:43 74,240 —-a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ——w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:57 3,592,192 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ——w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ——w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ——w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 —-a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ——w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ——w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ——w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ——w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ——w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ——w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-12 15:08 61,224 —-a-w C:\Documents and Settings\Nadia Olson\GoToAssistDownloadHelper.exe
2008-03-03 15:43 32 ——w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-25 21:07 18,725 —-a-w C:\Program Files\Readme.txt
1998-11-17 08:36 6,715 —-a-r C:\Program Files\bizflyer.htm
1998-10-16 12:14 48,738 —-a-r C:\Program Files\re10half.GIF
1998-10-16 12:14 37,784 —-a-r C:\Program Files\re09graf.GIF
1998-10-15 15:42 17,151 —-a-r C:\Program Files\re00exam.GIF
1998-10-15 15:21 22,904 —-a-r C:\Program Files\re07flyr.GIF
1998-10-15 15:17 23,468 —-a-r C:\Program Files\re06coll.GIF
1998-10-15 15:15 12,123 —-a-r C:\Program Files\re05fram.GIF
1998-10-15 14:11 7,036 —-a-r C:\Program Files\re04Baft.GIF
1998-10-15 14:08 6,634 —-a-r C:\Program Files\re04Abfr.GIF
1998-10-15 14:06 19,926 —-a-r C:\Program Files\re03clon.GIF
1998-10-15 14:01 20,334 —-a-r C:\Program Files\re02crop.GIF
1998-10-15 13:47 23,485 —-a-r C:\Program Files\re00befr.GIF
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77D7E795-33C5-4323-974D-A2A49AB75517}]
2008-08-31 20:11 133616 –a—-t- C:\Program Files\Google\Update\1.2.131.11\GoopdateBho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SsAAD.exe”=”C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe” [2006-05-08 81920]
“Skype”=”C:\Program Files\Skype\Phone\Skype.exe” [2008-05-30 21718312]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]
“AROReminder”=”C:\Program Files\Advanced Registry Optimizer\aro.exe” [2008-04-09 2135168]
“Google Update”=”C:\Documents and Settings\Nadia Olson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” [2008-08-31 133104]
“Rohos”=”C:\Program Files\Rohos\agent.exe” [2008-07-11 771392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“UpdReg”=”C:\WINDOWS\UpdReg.EXE” [2000-05-11 90112]
“UfSeAgnt.exe”=”C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe” [2008-07-25 1393928]
“SunJavaUpdateSched”=”C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
“QuickTime Task”=”C:\Program Files\QuickTime\QTTask.exe” [2008-05-27 413696]
“LogitechQuickCamRibbon”=”C:\Program Files\Logitech\QuickCam\Quickcam.exe” [2007-10-25 2178832]
“LogitechCommunicationsManager”=”C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe” [2007-10-25 563984]
“iTunesHelper”=”C:\Program Files\iTunes\iTunesHelper.exe” [2008-07-30 289064]
“ISUSScheduler”=”C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-08-11 81920]
“ISUSPM Startup”=”C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” [2005-08-11 249856]
“IAAnotif”=”C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2008-05-07 178712]
“DVDLauncher”=”C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe” [2006-04-06 49152]
“dlbxmon.exe”=”C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe” [2005-01-18 425984]
“dla”=”C:\WINDOWS\system32\dla\tfswctrl.exe” [2005-05-31 122941]
“CTSysVol”=”C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe” [2003-09-17 57344]
“CTDVDDET”=”C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE” [2003-06-18 45056]
“Corel Photo Downloader”=”C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe” [2006-02-10 106496]
“ATIPTA”=”C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-08-06 344064]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“DLBXCATS”=”C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll” [2004-12-07 69632]
“TMWebProtectTray”=”C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtectTray.exe” [2008-05-13 288136]
“DellSupportCenter”=”C:\Program Files\Dell Support Center\bin\sprtcmd.exe” [2008-03-11 202544]
“CTHelper”=”CTHELPER.EXE” [2004-03-11 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DWQueuedReporting”=”C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2007-03-22 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-08-02 7168]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-07-08 66864]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\[u]0[/u]2.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 19:10:04 238080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.l3fhg”= mp3fhg.acm
“VIDC.X264″= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“vidc.i263″= i263_32.drv
“VIDC.YV12″= yv12vfw.dll
“msacm.ac3filter”= ac3filter.acm
“msacm.divxa32″= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
“DisableMonitoring”=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\Google\\Google Talk\\googletalk.exe”=
“C:\\WINDOWS\\system32\\dlbxcoms.exe”=
“C:\\WINDOWS\\system32\\spool\\drivers\\w32×86\\3\\dlbxPSWX.EXE”=
“C:\\Program Files\\Messenger\\msmsgs.exe”=
“C:\\Program Files\\MSN Messenger\\msnmsgr.exe”=
“C:\\Program Files\\MSN Messenger\\msncall.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Program Files\\Bonjour\\mDNSResponder.exe”=
“C:\\Program Files\\uTorrent\\uTorrent.exe”=
“C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe”=
“C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe”=
“C:\\Program Files\\iTunes\\iTunes.exe”=
“C:\\Program Files\\Skype\\Phone\\Skype.exe”=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“135:TCP”= 135:TCP:TCP Port 135
“5000:TCP”= 5000:TCP:TCP Port 5000
“5001:TCP”= 5001:TCP:TCP Port 5001
“5002:TCP”= 5002:TCP:TCP Port 5002
“5003:TCP”= 5003:TCP:TCP Port 5003
“5004:TCP”= 5004:TCP:TCP Port 5004
“5005:TCP”= 5005:TCP:TCP Port 5005
“5006:TCP”= 5006:TCP:TCP Port 5006
“5007:TCP”= 5007:TCP:TCP Port 5007
“5008:TCP”= 5008:TCP:TCP Port 5008
“5009:TCP”= 5009:TCP:TCP Port 5009
“5010:TCP”= 5010:TCP:TCP Port 5010
“5011:TCP”= 5011:TCP:TCP Port 5011
“5012:TCP”= 5012:TCP:TCP Port 5012
“5013:TCP”= 5013:TCP:TCP Port 5013
“5014:TCP”= 5014:TCP:TCP Port 5014
“5015:TCP”= 5015:TCP:TCP Port 5015
“5016:TCP”= 5016:TCP:TCP Port 5016
“5017:TCP”= 5017:TCP:TCP Port 5017
“5018:TCP”= 5018:TCP:TCP Port 5018
“5019:TCP”= 5019:TCP:TCP Port 5019
“5020:TCP”= 5020:TCP:TCP Port 5020
“10421:UDP”= 10421:UDP:SingleClick Discovery Protocol
“10426:UDP”= 10426:UDP:SingleClick ICC

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 RHDISK;RHDISK;C:\Program Files\Rohos\RHDISK.SYS [2008-05-02 35136]
R2 TMWebProtect;Trend Micro Web Protection Add-On Service;C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtect.exe [2008-05-13 595328]
R3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
S2 gupdate1c8e65b56deb04a;Google Update Service (gupdate1c8e65b56deb04a);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-31 133104]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys [2002-07-01 95232]
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
S3 USB28xxBGA;USB 2861 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-02-08 217216]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-02-08 17792]
.
Contents of the ‘Scheduled Tasks’ folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{DE6FE096-397D-4883-B83C-EDB532855D35} - (no file)

.
——- Supplementary Scan ——-
.
FireFox -: Profile - C:\Documents and Settings\Nadia Olson\Application Data\Mozilla\Firefox\Profiles\7v6xtqy3.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 23:24:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.
———————— Other Running Processes ————————
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-09-05 23:28:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 21:28:29

Pre-Run: 12,011,565,056 bytes free
Post-Run: 12,129,734,656 bytes free

328 — E O F — 2008-08-21 09:01:26

2. Nadia on September 6th, 2008 at 3:21 AM
I give you the same regards, and again thank you.

3. Thinh Vu on September 5th, 2008 at 12:34 AM
Thanks for the suggestion on Comboflix, this article is really great and detailed, I’ll put a link to it on the post instead of Comboflix.

4. Thinh Vu on September 4th, 2008 at 4:28 PM