Whistler Bootkit

View previous topic View next topic Go down

Whistler Bootkit

Post by pwcarson on 31st July 2010, 7:39 pm

i think ive been infected with Whistler Bootkit. ive searched my symptom and i believe this is the culprit. if anyone can help me get rid of this. any help will be appreciated thank you

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 31st July 2010, 8:10 pm

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too Smile and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly Smile.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes


With that out of the way:

Please download and run RKill.

[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.]

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.
========

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 31st July 2010, 8:54 pm

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as eArmyU Student on 07/31/2010 at 16:32:57.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\eArmyU Student\Desktop\rkill.com


Rkill completed on 07/31/2010 at 16:33:03.


ComboFix 10-07-31.01 - eArmyU Student 07/31/2010 16:36:28.3.1 - x86
Running from: c:\documents and settings\eArmyU Student\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-31 19:28 . 2010-07-31 19:28 -------- d-----w- c:\program files\Common Files\Java
2010-07-31 19:26 . 2010-07-31 19:26 503808 ----a-w- c:\documents and settings\eArmyU Student\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6668fc1a-n\msvcp71.dll
2010-07-31 19:26 . 2010-07-31 19:26 499712 ----a-w- c:\documents and settings\eArmyU Student\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6668fc1a-n\jmc.dll
2010-07-31 19:26 . 2010-07-31 19:26 348160 ----a-w- c:\documents and settings\eArmyU Student\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6668fc1a-n\msvcr71.dll
2010-07-31 19:26 . 2010-07-31 19:26 61440 ----a-w- c:\documents and settings\eArmyU Student\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-552234f6-n\decora-sse.dll
2010-07-31 19:26 . 2010-07-31 19:26 12800 ----a-w- c:\documents and settings\eArmyU Student\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-552234f6-n\decora-d3d.dll
2010-07-31 19:26 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-31 18:34 . 2010-07-31 18:34 -------- d-----w- c:\documents and settings\eArmyU Student\Application Data\PeaZip
2010-07-31 18:34 . 2010-07-31 18:34 -------- d-----w- c:\program files\PeaZip
2010-07-31 04:27 . 2010-07-31 04:27 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-31 03:01 . 2010-07-31 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-23 08:36 . 2010-07-23 08:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-16 17:54 . 2010-07-16 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-07-16 17:54 . 2010-07-16 17:54 -------- d-----w- c:\program files\Comcast
2010-07-16 17:50 . 2010-07-16 18:13 -------- d-----w- c:\documents and settings\eArmyU Student\Local Settings\Application Data\SupportSoft
2010-07-16 17:50 . 2010-07-16 17:50 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-07-12 20:12 . 2010-07-12 20:12 -------- d-----w- c:\documents and settings\eArmyU Student\Application Data\MoveFab
2010-07-12 01:26 . 2010-07-12 01:26 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-07-12 01:26 . 2010-07-12 01:26 47360 ----a-w- c:\documents and settings\eArmyU Student\Application Data\pcouffin.sys
2010-07-12 01:26 . 2010-07-12 01:26 -------- d-----w- c:\documents and settings\eArmyU Student\Application Data\Vso
2010-07-12 01:26 . 2010-07-12 01:26 -------- d-----w- c:\program files\DVDFab 7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 19:26 . 2007-10-19 18:14 -------- d-----w- c:\program files\Java
2010-07-16 17:50 . 2004-06-19 09:57 -------- d-----w- c:\program files\Support.com
2010-07-13 03:32 . 2008-09-15 23:27 -------- d-----w- c:\documents and settings\eArmyU Student\Application Data\FrostWire
2010-07-12 08:36 . 2006-07-03 15:00 -------- d-----w- c:\documents and settings\eArmyU Student\Application Data\Apple Computer
2010-06-25 19:43 . 2010-06-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-25 19:43 . 2010-06-25 19:41 -------- d-----w- c:\program files\iTunes
2010-06-25 19:42 . 2006-07-03 14:55 -------- d-----w- c:\program files\iPod
2010-06-25 19:42 . 2010-02-19 07:09 -------- d-----w- c:\program files\Common Files\Apple
2010-06-25 19:36 . 2010-06-25 19:35 -------- d-----w- c:\program files\QuickTime
2010-06-25 19:29 . 2010-06-25 19:29 -------- d-----w- c:\program files\Bonjour
2010-06-25 19:23 . 2010-06-25 19:23 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-22 23:14 . 2010-06-22 23:13 -------- d-----w- c:\program files\eMule
2010-06-14 14:31 . 2004-09-27 10:50 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2005-02-18 23:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:04 . 2008-10-29 00:09 135 ---ha-w- c:\documents and settings\eArmyU Student\Application Data\lakerda1967.sys
2010-05-04 05:04 . 2008-10-29 00:09 135 ---ha-w- c:\documents and settings\eArmyU Student\Application Data\lakerda1967.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-31 19:26 . 2010-07-31 19:26 16384 c:\windows\temp\Perflib_Perfdata_f1c.dat
+ 2010-07-31 17:45 . 2010-07-31 20:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-31 17:45 . 2010-07-31 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-02-21 16:33 . 2010-07-31 20:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-02-21 16:33 . 2010-07-31 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-02-21 16:33 . 2010-07-31 18:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-02-21 16:33 . 2010-07-31 20:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-31 19:26 . 2010-07-17 09:00 153376 c:\windows\system32\javaws.exe
+ 2010-07-31 19:26 . 2010-07-17 09:00 145184 c:\windows\system32\javaw.exe
- 2010-01-08 21:27 . 2009-10-11 09:17 145184 c:\windows\system32\javaw.exe
+ 2010-07-31 19:26 . 2010-07-17 09:00 145184 c:\windows\system32\java.exe
- 2010-01-08 21:27 . 2009-10-11 09:17 145184 c:\windows\system32\java.exe
+ 2010-07-31 19:28 . 2010-07-31 19:28 180224 c:\windows\Installer\5ba9aa.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="c:\documents and settings\eArmyU Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 94208]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-12-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-12-16 118784]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-24 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2003-09-30 36864]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-03-12 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"TpShocks"="TpShocks.exe" [2004-03-27 102400]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"Center Agent"="c:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe" [2006-12-04 872960]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-09-29 9347072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2009-8-1 36864]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [8/29/2009 6:30 PM 36752]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [8/29/2009 6:30 PM 39440]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/19/2004 5:48 AM 16384]
R2 FGR Service;FGR Service;c:\program files\711_Fiberlink\Fgrd.exe [3/3/2003 6:51 PM 57344]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/29/2009 7:45 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/29/2009 7:45 PM 20952]
R3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/19/2004 6:21 AM 12288]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 3:00 AM 13904]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [9/5/2008 1:30 AM 79616]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2006-01-30 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-06-19 09:37]

2010-03-11 c:\windows\Tasks\FRU Task 2002-06-11 17:56ewlett-Packard2002-06-11 17:56p psc 2100 series0873DBB30DAF953F7DCEA1BDCC4F78BFDB130745258674940.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-11 15:56]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-784873669-2896618707-3503395266-1006Core.job
- c:\documents and settings\eArmyU Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-18 06:42]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-784873669-2896618707-3503395266-1006UA.job
- c:\documents and settings\eArmyU Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-18 06:42]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: army.mil\statepermsompf.hoffman
FF - ProfilePath - c:\documents and settings\eArmyU Student\Application Data\Mozilla\Firefox\Profiles\3kvreuke.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\eArmyU Student\Application Data\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\documents and settings\eArmyU Student\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-31 16:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\program files\Internet Explorer\iexplore.exe [1152] 0x8328F878
c:\program files\Internet Explorer\iexplore.exe [2428] 0x83974B18
c:\program files\Internet Explorer\iexplore.exe [748] 0x8325BDA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,07,b0,bf,e3,36,10,49,85,67,18,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,07,b0,bf,e3,36,10,49,85,67,18,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1980)
c:\program files\Funk Software\Funk Client\odLogin.dll

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-31 16:51:40
ComboFix-quarantined-files.txt 2010-07-31 20:51
ComboFix2.txt 2010-07-31 18:26
ComboFix3.txt 2009-08-30 18:44

Pre-Run: 8,644,784,128 bytes free
Post-Run: 8,693,596,160 bytes free

- - End Of File - - D9B6EA2667326C08463479D03EA0F57F

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 31st July 2010, 9:04 pm

Combofix does not show the Whistler Bootkit. Have you done anything else aside from what I asked to remove the virus on your machine?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 31st July 2010, 9:38 pm

only malwarebytes. what is happening is im getting a mouse click randomly and "congratulation you won!" and other ads and sound clips playing at random. also microsoft office sometimes try to install itself. if you might know what that might be please let me know. thanks for your time.

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 31st July 2010, 9:40 pm

Ok. Let's try this:

Download [You must be registered and logged in to see this link.] to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL C
  • Open a Notepad and press CTRL V
  • Post the output back here.



Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 31st July 2010, 9:45 pm

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 7ae4ea329361d25cdd2a5b53b4e8087d

Size Device Name MBR Status
--------------------------------------------
27 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix


Done;
Press any key to quit...

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 31st July 2010, 9:59 pm

Please create a new text file with e.g. Notepad with the following contents:
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

  • Save it as Fix.bat to your Desktop.
  • Doubleclick Fix.bat to run it.
  • A black DOS screen will flash too quickly to read, indicating a successful run
  • Doubleclick remover.exe again as you did previously and post its log back here.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 31st July 2010, 10:07 pm

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
27 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 31st July 2010, 10:11 pm

Woohoo! Good riddance Bootkit! Things running better now?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 31st July 2010, 10:17 pm

so far so good. lets hope that did i really appreciate the help

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 31st July 2010, 10:20 pm

Congratulations!! Your PC is all clean! Big Grin
To uninstall ComboFix

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall



(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Reading Tip:
[You must be registered and logged in to see this link.]
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

[You must be registered and logged in to see this link.]

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
[You must be registered and logged in to see this link.]

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

You can read [You must be registered and logged in to see this link.] if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

4. SiteHound Toolbar

[You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See [You must be registered and logged in to see this link.] for more info about malware and prevention.
Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 31st July 2010, 11:53 pm

well as soon as i closed my browser after your last message i got another random advertisement sound clip

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 1st August 2010, 12:41 am

Let's try this:
Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log in your reply

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 1st August 2010, 1:25 am

here is the log file. im also now getting pop up ads that say message from website something about not believing that this diet works.


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4375

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/31/2010 9:22:12 PM
mbam-log-2010-07-31 (21-22-12).txt

Scan type: Quick scan
Objects scanned: 142821
Time elapsed: 15 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 1st August 2010, 1:52 am

Hm. Nothing. Can you run Bootkit Remover again please?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 2nd August 2010, 5:01 am

also ive done a little more research and i think it could possibly be Trojan Horse Clicker AJ. it seems to have all the same symptoms im having

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 2nd August 2010, 5:06 am

Did you see post 16?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 2nd August 2010, 7:45 am

oh im sorry no i didnt here it is

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
27 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 2nd August 2010, 9:03 am

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 2nd August 2010, 5:54 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
OnlineCmdLineScanner.exe@High:Finished with error2002 Update status=13 3.0.2
lost connection with client# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e3891d852e4cab44bdb0198ce21e0396
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-02 11:30:32
# local_time=2010-08-02 07:30:32 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 29070047 29070047 0 0
# compatibility_mode=1026 16777214 0 2 28283965 28283965 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=87569
# found=1
# cleaned=1
# scan_time=4413
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 3rd August 2010, 9:14 pm

Hi,

How are things running now? I am currently on vacation so my reply time will be minimal.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by pwcarson on 3rd August 2010, 10:28 pm

everything is awesome. running better than ever. thank you for your help. enjoy your vacation. thanks again

pwcarson
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-08-29
OS OS : windows xp
Points Points : 26784
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Crush on 4th August 2010, 4:15 am

Congratulations!! Your PC is all clean! Big Grin
To uninstall ComboFix

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall



(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Reading Tip:
[You must be registered and logged in to see this link.]
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

[You must be registered and logged in to see this link.]

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the [You must be registered and logged in to see this link.] - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this [You must be registered and logged in to see this link.] to learn how to backup. Follow [You must be registered and logged in to see this link.] by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
[You must be registered and logged in to see this link.]

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features [You must be registered and logged in to see this link.]

You can get a [You must be registered and logged in to see this link.] of Winpatrol or use the [You must be registered and logged in to see this link.] for more features.

You can read [You must be registered and logged in to see this link.] if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from [You must be registered and logged in to see this link.].

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy [You must be registered and logged in to see this link.] at Bleeping Computer.

4. SiteHound Toolbar

[You must be registered and logged in to see this link.] is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> [You must be registered and logged in to see this link.]<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See [You must be registered and logged in to see this link.] for more info about malware and prevention.
Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site.
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum