runmgr.exe - Trojan.Win32.Qhost.kfv

ChargerSRT8 · July 2008

runmgr.exe (Trojan.Win32.Qhost.kfv):
I got this Crap from a College Computer, I've got a Lot of Homework to Do within These 2 Weeks and I Need to Get Rid of This BS ASAP!!

I Already Disabled System Restore for All Drives, Deleted Temporary Internet Files for All Users, Using Flash Disinfector for My USBs (That's How I got it), Erased All runmgr Named Files I Could Find, Deleted Recycler from My Slave HD (I cannot Get Rid of Recycler from C:, Can I Delete System Volume Information on Both Drives?), Kaspersky 2009 has been Running for 7½ Hours and cannot Finish, I Click Over runmgr.exe on C: and Kaspersky AV 2009 Says it's Clean!!

Kaspersky.com Claims The Update has Already been Released, Which is Untrue (13 July 2008):
http://www.kaspersky.com/viruswatchlite?search_virus=qhost

The Thing Keeps Spawning Over and Over Again, I don't Have The Time for Hundred Logs, I Need a Solution, Please Katana, I'm in a Rush for Homework Making (Photoshop, Illustrator, Flash and InDesign), I Need The Solution.

- Thanks.

ChargerSRT8 · July 2008

Now The Thing Morphed into:
Trojan.Win32.VB.dwu

CID67 · July 2008

Cid67,

Please can I point you to the forum rules

while we appreciate you trying to help please leave the spyware advice to the approved spyware removers here, any advice given by non-SVR staff will be removed. This is to protect the user from advice that may render their computer useless. If you are a graduate of 1 of the spyware schools out there & would like to help please PM one of the SVR mods

http://icrontic.com/forum/showpost.php?p=431627&postcount=2

Katana · July 2008

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

I don't Have The Time for Hundred Logs, I Need a Solution, Please Katana, I'm in a Rush

ChargerSRT8,

I understand that you are upset by malware being on your machine, but unfortunately the only way I can clean it is by you posting logs that I request.
There is no quick solution to remove this infection, as you have seen yourself it changes file names.
It will take as many logs as I think are needed, no more and certainly no less.

You need to stop anything that you are doing to try and remove it, and let me give you instructions.
If you can do this, that is fine. If you can't, then you will be wasting my time as well as your own.

Click here to download HJTinstall.exe

Save HJTinstall.exe to your desktop.
Double click on the HJTinstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\Hijack This.
Click I accept
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

CID67 · July 2008

No problems.... I was only trying to help ..... the advice I found here was good and pointed in the right direction, however did not clean the problem.

I do understand ...

I am not a "Spyware Graduate", but I have a BS and MS in EE and have over 50 professional certification in the field .... Again my apologies, I was only trying to help.

Cid

ChargerSRT8 · July 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:07:14am, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\ACD Systems\ACDSee\5.0\ACDSee5.exe
C:\Program Files\Common Files\ACD Systems\IDBSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212956345054
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
--
End of file - 6671 bytes

Katana · July 2008

Do you have the ComboFix log ?

ChargerSRT8 · July 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:38pm, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ACD Systems\ACDSee\5.0\ACDSee5.exe
C:\Program Files\Common Files\ACD Systems\IDBSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212956345054
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
--
End of file - 6437 bytes

ChargerSRT8 · July 2008

ComboFix 08-07-21.1 - Amin 2008-07-25 23:35:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.52.1033.18.178 [GMT -5:00]
Running from: C:\Documents and Settings\Amin\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Amin\Application Data\macromedia\Flash Player\#SharedObjects\VDEBHAE2\www.broadcaster.com
C:\Documents and Settings\Amin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Amin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Murciélago\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.
2008-07-22 22:06 . 2008-07-23 11:41 <DIR> d

C:\WINDOWS\SxsCaPendDel
2008-07-22 02:06 . 2008-07-22 02:06 <DIR> d

C:\Program Files\Trend Micro
2008-07-21 11:57 . 2008-07-21 12:01 <DIR> d

C:\Documents and Settings\Charly\Application Data\Prevx
2008-07-20 13:12 . 2008-07-20 13:12 78 --a

C:\WINDOWS\SuperUtil.ini
2008-07-13 16:13 . 2008-07-13 16:13 <DIR> d

C:\WINDOWS\Applian FLV Player
2008-07-13 16:13 . 2008-07-13 16:13 <DIR> d

C:\Program Files\FLV Player
2008-07-13 04:01 . 2008-07-14 23:05 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-07-13 04:01 . 2008-07-14 23:05 1,409 --a

C:\WINDOWS\QTFont.for
2008-07-12 01:34 . 2008-07-12 21:44 <DIR> d

C:\Documents and Settings\Amin\Application Data\Download Manager
2008-07-07 13:25 . 2008-07-07 13:25 <DIR> d

C:\Program Files\Common Files\Control Panels
2008-07-05 16:42 . 2008-07-05 16:42 3,494 --a

C:\WINDOWS\system32\msltstsoft_updt.exe
2008-07-03 23:47 . 2008-07-24 23:01 96,559 --a

C:\WINDOWS\system32\drivers\klin.dat
2008-07-03 23:47 . 2008-07-24 23:01 87,855 --a

C:\WINDOWS\system32\drivers\klick.dat
2008-07-03 23:46 . 2008-07-25 23:45 4,659,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-03 23:46 . 2008-07-25 23:45 1,015,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-03 23:46 . 2008-07-25 23:45 38,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-03 23:46 . 2008-07-25 23:45 5,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-03 23:45 . 2008-07-25 23:49 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 12:04

d

w C:\Documents and Settings\Amin\Application Data\Azureus
2008-07-25 11:46

d

w C:\Program Files\emule0.47a-Xtreme5.2.2
2008-07-25 07:03

d

w C:\Documents and Settings\Amin\Application Data\Free Download Manager
2008-07-16 11:27

d--h--w C:\Program Files\Wolfenstein 3-D (IBM)
2008-07-10 05:05

d

w C:\Program Files\SourceTec
2008-07-07 17:50

d

w C:\Program Files\Common Files\Adobe
2008-07-04 04:45

d

w C:\Program Files\Kaspersky Lab
2008-07-04 04:42

d

w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-23 21:59

dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-23 21:59

d

w C:\Program Files\Windows Live
2008-06-23 21:46

d

w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-21 06:31

d

w C:\Program Files\Bonjour
2008-05-28 04:15

d

w C:\Program Files\Corel
2008-05-28 04:15

d

w C:\Program Files\Common Files\Corel
2006-09-18 01:53 150,192 ----a-w C:\Program Files\TweakUiPowertoySetup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 14:43 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"VIDC.i420"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a

2005-12-30 18:06 878080 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a

2005-08-11 16:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a

2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft WinUpdate]
--a

2008-07-05 16:42 3494 C:\WINDOWS\system32\msltstsoft_updt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\emule0.47a-Xtreme5.2.2\\emule.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24000:TCP"= 24000:TCP:TCP
"24024:UDP"= 24024:UDP:UDP
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2001-12-26 18:43]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 ids00026;ids00026;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys []
S3 ids00118;ids00118;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys []
S3 ids0015d;ids0015d;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0015d.sys []
S3 ids00180;ids00180;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00180.sys []
S3 ids0018a;ids0018a;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0018a.sys []
S3 stihp2k;stihp2k;C:\WINDOWS\system32\DRIVERS\stihp2k.sys [2001-06-05 23:25]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-HP Update 3400C - C:\sj652\hpupdate.exe

.

Supplementary Scan

.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xportar a Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:50:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

Other Running Processes

.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-26 0:12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 05:11:59
Pre-Run: 5,616,865,280 bytes free
Post-Run: 7,359,459,328 bytes free
157

ChargerSRT8 · July 2008

Dc82 Cannot be Deleted from C:\Recycler, and a Keylogger is Active, KAV 2009 Cannot do Anything About it...

Katana · July 2008

ChargerSRT8 wrote:

a Keylogger is Active, KAV 2009 Cannot do Anything About it...

Does KAV say where this keylogger is ?

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus
Ares
emule

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please note: you must NOT use this whilst we are cleaning your machine.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\system32\msltstsoft_updt.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft WinUpdate]
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> ActiveScan << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

ComboFix log
Installed Programs List
Active Scan Log

ChargerSRT8 · July 2008

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-27 05:13:22
PROTECTIONS: 1
MALWARE: 33
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Anti-Virus 8.0.0.357 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Murciélago\Cookies\murciélago@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@mediaplex[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@statcounter[2].txt
00167783 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@counter6.sextracker[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@bs.serving-sys[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@advertising[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@realmedia[1].txt
00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@terra.com[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@bluestreak[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@go[1].txt
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@i.screensavers[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Amin\Cookies\amin@atwola[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Charly\Cookies\charly@atwola[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Amin\Desktop\Flash_Disinfector.exe[nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 No No S:\Flash_Disinfector.exe[nircmd.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{725202D5-87FB-45B9-9EB5-EE1EFE51918F}\RP2\A0000014.EXE
02526573 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Amin\My Documents\My Stuff\Installers\Keygen_Illustrator_CS3.rar[Keygen Illustrator CS3\Keygen Illustrator CS3.exe]
02526573 Generic Malware Virus/Trojan No 0 Yes No D:\DVD Temp\McLaren F1 GT\Adobe® Illustrator® CS3\Keygen\Keygen Illustrator CS3.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{725202D5-87FB-45B9-9EB5-EE1EFE51918F}\RP2\A0000007.sys
02912157 W32/Spamta.gen.worm Virus/Worm No 0 Yes No C:\Documents and Settings\Amin\My Documents\My Stuff\DivX\Keymaker.exe
02934030 Trj/Rizalof.RV Virus/Trojan No 1 Yes No D:\DVD Temp\McLaren F1 GT\Adobe® Photoshop® CS3 Extended\Keygen\PhotoShop CS3 Extended Keygen + Activation.exe
02934030 Trj/Rizalof.RV Virus/Trojan No 1 Yes No D:\DVD Temp\CS3_Keygen_Collectionteamps\PhotoShop CS3 Extended Keygen + Activation.exe
02934030 Trj/Rizalof.RV Virus/Trojan No 1 No No D:\DVD Temp\KeysCollectionadobe.rar[CS3 Keygen Collection\PhotoShop CS3 Extended Keygen + Activation.exe]
02987632 Generic Trojan Virus/Trojan No 0 No No C:\LAX\SlySoft.Products.Universal.Patch.v1.31.4in1.rar[Slysoft.exe]
03252395 Generic Trojan Virus/Trojan No 0 Yes No D:\DVD Temp\CS3_Keygen_Collectionteamps\Dreamweaver CS3 VLK.exe
03252395 Generic Trojan Virus/Trojan No 0 No No D:\DVD Temp\KeysCollectionadobe.rar[CS3 Keygen Collection\Dreamweaver CS3 VLK.exe]
03252796 Generic Trojan Virus/Trojan No 0 Yes No D:\DVD Temp\CS3_Keygen_Collectionteamps\GoLive CS3 Keygen.exe
03252796 Generic Trojan Virus/Trojan No 0 No No D:\DVD Temp\KeysCollectionadobe.rar[CS3 Keygen Collection\GoLive CS3 Keygen.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location g
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description g
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 g
184379 MEDIUM MS08-001 g
182048 HIGH MS07-069 g
182046 HIGH MS07-067 g
182043 HIGH MS07-064 g
179553 HIGH MS07-061 g
176382 HIGH MS07-057 g
176383 HIGH MS07-058 g
170911 HIGH MS07-050 g
170907 HIGH MS07-046 g
170906 HIGH MS07-045 g
170904 HIGH MS07-043 g
164915 HIGH MS07-035 g
164913 HIGH MS07-033 g
164911 HIGH MS07-031 g
160623 HIGH MS07-027 g
157262 HIGH MS07-022 g
157261 HIGH MS07-021 g
157260 HIGH MS07-020 g
157259 HIGH MS07-019 g
156477 HIGH MS07-017 g
150253 HIGH MS07-016 g
150249 HIGH MS07-013 g
150248 HIGH MS07-012 g
150247 HIGH MS07-011 g
150243 HIGH MS07-008 g
150242 HIGH MS07-007 g
150241 MEDIUM MS07-006 g
145501 HIGH MS07-004 g
141034 HIGH MS06-076 g
141033 MEDIUM MS06-075 g
137571 HIGH MS06-070 g
133387 MEDIUM MS06-065 g
133386 MEDIUM MS06-064 g
133385 MEDIUM MS06-063 g
133379 HIGH MS06-057 g
129977 MEDIUM MS06-053 g
129976 MEDIUM MS06-052 g
126093 HIGH MS06-051 g
126092 MEDIUM MS06-050 g
126087 HIGH MS06-046 g
126086 MEDIUM MS06-045 g
126082 HIGH MS06-041 g
126081 HIGH MS06-040 g
123421 HIGH MS06-036 g
123420 HIGH MS06-035 g
120825 MEDIUM MS06-032 g
120823 MEDIUM MS06-030 g
120818 HIGH MS06-025 g
120815 HIGH MS06-022 g
117384 MEDIUM MS06-018 g
114666 HIGH MS06-015 g
108744 MEDIUM MS06-008 g
108743 MEDIUM MS06-007 g
108742 MEDIUM MS06-006 g
104567 HIGH MS06-002 g
104237 HIGH MS06-001 g
96574 HIGH MS05-053 g
93395 HIGH MS05-051 g
93394 HIGH MS05-050 g
93454 MEDIUM MS05-049 g
;===================================================================================================================================================================================

ChargerSRT8 · July 2008

ComboFix 08-07-21.1 - Amin 2008-07-27 11:03:59.2 - NTFSx86
Running from: C:\Documents and Settings\Amin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Amin\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\msltstsoft_updt.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\msltstsoft_updt.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.
2008-07-26 16:40 . 2008-06-19 17:24 28,544 --a

C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-26 16:37 . 2008-07-26 16:37 <DIR> d

C:\WINDOWS\LastGood
2008-07-26 16:37 . 2008-07-26 16:37 <DIR> d

C:\Program Files\Panda Security
2008-07-26 00:12 . 2008-07-26 00:12 <DIR> d

C:\Documents and Settings\MurciÚlago
2008-07-22 22:06 . 2008-07-23 11:41 <DIR> d

C:\WINDOWS\SxsCaPendDel
2008-07-22 02:06 . 2008-07-22 02:06 <DIR> d

C:\Program Files\Trend Micro
2008-07-21 11:57 . 2008-07-21 12:01 <DIR> d

C:\Documents and Settings\Charly\Application Data\Prevx
2008-07-21 00:11 . 2008-07-21 07:32 <DIR> d

C:\Documents and Settings\Murciélago\Application Data\Prevx
2008-07-20 13:12 . 2008-07-20 13:12 78 --a

C:\WINDOWS\SuperUtil.ini
2008-07-13 16:13 . 2008-07-13 16:13 <DIR> d

C:\WINDOWS\Applian FLV Player
2008-07-13 16:13 . 2008-07-13 16:13 <DIR> d

C:\Program Files\FLV Player
2008-07-12 01:34 . 2008-07-12 21:44 <DIR> d

C:\Documents and Settings\Amin\Application Data\Download Manager
2008-07-07 13:25 . 2008-07-07 13:25 <DIR> d

C:\Program Files\Common Files\Control Panels
2008-07-03 23:47 . 2008-07-24 23:01 96,559 --a

C:\WINDOWS\system32\drivers\klin.dat
2008-07-03 23:47 . 2008-07-24 23:01 87,855 --a

C:\WINDOWS\system32\drivers\klick.dat
2008-07-03 23:46 . 2008-07-25 23:45 4,659,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-03 23:46 . 2008-07-27 03:38 1,040,416 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-03 23:46 . 2008-07-25 23:45 38,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-03 23:46 . 2008-07-27 03:38 5,684 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-03 23:45 . 2008-07-25 23:49 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 20:40

d

w C:\Documents and Settings\Amin\Application Data\Azureus
2008-07-26 16:00

d

w C:\Program Files\emule0.47a-Xtreme5.2.2
2008-07-25 07:03

d

w C:\Documents and Settings\Amin\Application Data\Free Download Manager
2008-07-16 11:27

d--h--w C:\Program Files\Wolfenstein 3-D (IBM)
2008-07-10 05:05

d

w C:\Program Files\SourceTec
2008-07-07 17:50

d

w C:\Program Files\Common Files\Adobe
2008-07-04 04:45

d

w C:\Program Files\Kaspersky Lab
2008-07-04 04:42

d

w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-30 02:12 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-23 21:59

dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-23 21:59

d

w C:\Program Files\Windows Live
2008-06-23 21:46

d

w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-21 06:31

d

w C:\Program Files\Bonjour
2008-05-28 04:15

d

w C:\Program Files\Corel
2008-05-28 04:15

d

w C:\Program Files\Common Files\Corel
2006-09-18 01:53 150,192 ----a-w C:\Program Files\TweakUiPowertoySetup.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-26_ 0.09.51.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 15:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 14:43 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"VIDC.i420"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a

2005-12-30 18:06 878080 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a

2005-08-11 16:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a

2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\emule0.47a-Xtreme5.2.2\\emule.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24000:TCP"= 24000:TCP:TCP
"24024:UDP"= 24024:UDP:UDP
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2001-12-26 18:43]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 ids00026;ids00026;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys []
S3 ids00118;ids00118;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys []
S3 ids0015d;ids0015d;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0015d.sys []
S3 ids00180;ids00180;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00180.sys []
S3 ids0018a;ids0018a;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0018a.sys []
S3 stihp2k;stihp2k;C:\WINDOWS\system32\DRIVERS\stihp2k.sys [2001-06-05 23:25]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 11:12:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-27 11:26:42
ComboFix-quarantined-files.txt 2008-07-27 16:26:02
Pre-Run: 7,078,502,400 bytes free
Post-Run: 7,112,261,632 bytes free
138

ChargerSRT8 · July 2008

ACDSee 5.0 PowerPack
Ad-Aware SE Personal
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.0
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced RealMedia Export Plug-in for Premiere 6.0
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
Alien Skin Xenofex 2.0
AnyDVD
Apple Software Update
Applian FLV Player
Ares 1.9.9
Azureus
Azureus Vuze
BSPlayer
Canon Camera WIA Driver 6.2.5
CloneDVD2
CorelDRAW Graphics Suite X3
Digital Element Aurora
DivX Codec
DVD-CLONER V3.20 Build 896
DVDFab Platinum 2.9.8.1
eMule
EN
Exifer
File And MP3 Tag Renamer 2.2
FLV Player 1.3.3
FontNav
Free Download Manager 2.1
GIF Movie Gear 3.0.2
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP PrecisionScan LTX
J2SE Runtime Environment 5.0 Update 6
Kaspersky Anti-Virus 2009
Kaspersky Anti-Virus 2009
K-Lite Mega Codec Pack 1.03
Macromedia Flash MX
Magic ISO Maker v5.4 (build 0239)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Media Video 9 VCM
Mosaic Magic
Mozilla Firefox (3.0)
Nero 7 Demo
Opera 9.23
Panda ActiveScan 2.0
PDF Settings
PowerDVD
QuickTime
RealArcade - Feeding Frenzy v1.2
RealPlayer
SeaTools for Windows
SnagIt 7
Sonic Foundry ACID 4.0b
Sonic Foundry Sound Forge 6.0e
Sothink SWF Decompiler
Switch Off
Tweak UI
Update Manager
VBA
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
WM Recorder 11.2

ChargerSRT8 · July 2008

Katana · July 2008

C:\Documents and Settings\Amin\My Documents\My Stuff\DivX\Keymaker.exe
C:\Documents and Settings\Amin\My Documents\My Stuff\Installers\Keygen_Illustrator_CS3.rar
C:\LAX\SlySoft.Products.Universal.Patch.v1.31.4in1.rar
D:\DVD Temp\CS3_Keygen_Collectionteamps\Dreamweaver CS3 VLK.exe
D:\DVD Temp\CS3_Keygen_Collectionteamps\GoLive CS3 Keygen.exe
D:\DVD Temp\CS3_Keygen_Collectionteamps\PhotoShop CS3 Extended Keygen + Activation.exe
D:\DVD Temp\KeysCollectionadobe.rar
D:\DVD Temp\McLaren F1 GT\Adobe© Illustrator© CS3\Keygen\Keygen Illustrator CS3.exe
D:\DVD Temp\McLaren F1 GT\Adobe© Photoshop© CS3 Extended\Keygen\PhotoShop CS3 Extended Keygen + Activation.exe

AND YOU ARE SURPRISED THAT YOU HAVE A KEYLOGGER ????????????????? !!!!!!!!!!!!!!!!!!!!!!!!!!

ChargerSRT8 · July 2008

Uh huh, and Then..? That Thing Spawned within The runmgr.exe Stuff that Entered Through My USB, I'm Struggling Since Then... The Guy From The Computer Room in My College Realized Recently that "There's an Infection", He's Still Dealing with it.

Are You Gonna Help Me, or I Wasted 7 Hours of Log Crap...?

Katana · July 2008

You have not wasted any time at all, I have.
Those files were not created by the infection. I know this for two reasons
1) If they were created by the infection there would be more information about the file/folder names on the internet.
2) At least three of those files have been there for over three months.

I don't provide help for those using any form of cracked software or Operating Systems.

In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

In the future I strongly suggest you stay away from using cracks and/or Keygens.

The "Keylogger" that Kaspersky is detecting is your keyboard driver. Click "Add To Exclusions"

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u7
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 7 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.

J2SE Runtime Environment 5.0 Update 6

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
D:\DVD Temp\KeysCollectionadobe.rar
C:\Documents and Settings\Amin\My Documents\My Stuff\DivX\Keymaker.exe
C:\Documents and Settings\Amin\My Documents\My Stuff\Installers\Keygen_Illustrator_CS3.rar
C:\LAX\SlySoft.Products.Universal.Patch.v1.31.4in1.rar
Folder::
D:\DVD Temp\CS3_Keygen_Collectionteamps
D:\DVD Temp\McLaren F1 GT\Adobe© Illustrator© CS3
D:\DVD Temp\McLaren F1 GT\Adobe© Photoshop© CS3 Extended

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

runmgr.exe - Trojan.Win32.Qhost.kfv

Comments