|
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10701
Loc: London
|
|
Hi jim,
About this entry flaged up by panda:
Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\1dac91.rbf
Myway is pre installed on Dell Computers so its best to leave it if its not causing any problems.
The .RBF files and the config.msi folder are used by the Windows Installer rollback process. The rollback script (.RBS) file is always stored in the Config.Msi folder on the drive where the operating system is installed. The .RBF files are stored in the Config.Msi folder located on the drive where the application that is being backed up currently resides. This is done so that there is no crossing of drives when backing up the application files. Files with a RBS file extension are rollback script files and files with a RBF file extension are backups of existing files. All rollback files and the Config.Msi folder are deleted when the installation completes successfully
The other entries are all associated with Combofix which you can now remove:
combofix cleanup.
- Click START then RUN
- Now type Combofix /u in the runbox and click OK ](case insensitive)
- When shown the disclaimer, Select "2"
The above procedure will
- Delete ComboFix and its associated files and folders.
Please go to the add/remove utility in the control panel anf uninstall
Java(TM) 6 Update 3
Please download the latest Sun java update (Update 4) from MajorGeeks: http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html.
You also need to review your protections. I can see the following present:
Ad-Aware SE Professional
a-squared Free 3.1
AVG AntiSpyware
Trojan Remover 6.6.4
AVG AntiVirus
BT Yahoo! Internet\ModemLock.exe
BT Yahoo! Internet\Watchdog.exe
Spybot - Search & Destroy\TeaTimer.exe
What Firewall do you have?
Ideally you need one good third party firewall such as Comodo, one Anti-Virus, AVG is fine. You can have several anti-Spyware programmes on the hard drive as you want but make sure just one is running. I recommend installing the following as well:
Install Spywareblaster
SpywareBlaster doesn't scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
MacAffee Site advisor.
http://www.siteadvisor.com/
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
hi joe
i have deleted combofix as above and i am downloading the java update.
i have installed site advisor and spyware blaster,he has sygate firewall and avg antivirus, ccleaner,spybot,easycleaner,trojan remover and a-squared installed - should i leave the avg anti-spyware as it is,or set it to start with windows etc?
thanks again
jim
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10701
Loc: London
|
|
Hi jim,
he has sygate firewall <-- Great programme but no longer supported unfortunately. Leave as is for now. I'm personally using Comodo, Just installed it so its too early to express an opinion but I'm pleased so far.
and avg antivirus <-- This is fine.
ccleaner<-- This is fine, tell him to run it weekly. Also update it now and then.
spybot <-- Keep this on the hard drive (Not running) Use when necessary.
easycleaner <-- Not familiar with this programme and never used it. Looks as if its similar to Ccleaner. Leave it on the hard drive but not running.
trojan remover <-- Not familiar with this programme and never used it. Leave it on the hard drive (Not running) and use if necessary
Ccleaner. Leave it on the hard drive but not running. Use weekly.
a-squared installed <-- Not familiar with this programme and never used it. Leave on the hard drive but not running.
avg anti-spyware <-- this is fine to leave working at startup but the full time protection lasts for 30 days only on the freeware. After that the full time protection disables unless you buy the programme.
I suggest just leaving as is and when the full time protection ends you can still update and use it to scan the computer.
site advisor <-- Just runs in the background.
spywareblaster <-- Just runs in the background. Keep updated. Protects against bad active X
When you've completed everything Jim do the following:
Disable the System Restore Utility (Windows XP Users)
- Right click the My Computer Icon on the Desktop and click on Properties.
- Click on the System Restore tab.
- Put a check mark next to 'Turn off System Restore on All Drives'.
- Click the 'OK' button.
- You will be prompted to restart the Computer. Click Yes.
Now re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
Create a new system restore point immediately. Important.
Defragment the hard drive.
Start |All Programmes | Accessories |System Tools | Disk Defragmenter
This can take ages to complete so make sure you have time. Best to just leave running and check it occasionally. There is a nice little third party tool available called Magical Defragmenter which run in the background and does it all for you.
Post a new HJT log when you've done all the above for one final check.
see Tony Klein's: So how did I get infected in the first place?
I also recommend the information in Bleepingcomputer's
Simple steps to keep your computer secure! and Simple and easy ways to keep your computer safe and secure on the Internet
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
hi joe
i've followed all the instructions above (i think!),so here is the new hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:23, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/scotland/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E856656E-D2E7-4BBC-8D27-9438BE1BB8A1}: NameServer = 62.6.40.162 194.72.0.98
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Intel(R) Corporation - (no file)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9474 bytes
thanks again
jim
|
Joe_London
HijackThis Helper
Reg'd: Tue
Posts: 10701
Loc: London
|
|
jim
Just fix these two entries with HJT.
Open Hijackthis, take another scan and place a checkmark next to these entries.
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the computer.
Otherwise everything looks good.
Joe.
--------------------
If I have helped you in any way, please consider a donation:
Joe's WebSite.
Member of UNITE and ASAP.
|
jimmyf
regular
Reg'd: Thu
Posts: 58
|
|
thanks joe,
you've been incredibly patient with this,and it's much appreciated.
you're a star!
cheers
jim
|
|
0 registered and 6 anonymous users are browsing this forum.
Moderator: putasolutions, greysts, bricat, AndrewC, Joe_London, John_McKenna, Mouse, Hello_There, TheFatControlleR, Nanook, Noviciate
Print Topic
|
Forum Permissions
You cannot start new topics
You cannot reply to topics
HTML is disabled
Mark-up is enabled
|
Rating:
Topic views: 0
|
|
|
|
|
Previous
Index
Next
Threaded
[Re: 
Edit
Reply
Quote
