Virus not going away

Viruses and worms
41

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEP_SEARCH_SERVICE

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 18:42 . 2008-12-05 18:43 d-------- C:\32788R22FWJFW
2008-12-05 16:29 . 2008-12-05 16:29 d-------- c:\program files\Trend Micro
2008-12-05 16:02 . 2008-12-05 16:02 d-------- C:_OTScanIt
2008-12-03 11:01 . 2008-12-03 11:01 d-------- c:\windows\system32\config\systemprofile\Application Data\Zango
2008-12-03 11:01 . 2008-12-03 11:01 d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2008-11-23 00:05 . 2008-11-25 14:20 d-------- c:\documents and settings\Owner\Application Data\DivX
2008-11-22 19:45 . 2008-11-22 19:45 d-------- c:\documents and settings\Owner\Downloads
2008-11-22 19:45 . 2008-11-22 19:47 d-------- c:\documents and settings\Owner\Application Data\NewsLeecher
2008-11-22 19:44 . 2008-11-22 19:44 d-------- c:\program files\NewsLeecher
2008-11-22 17:33 . 2008-11-22 17:34 d-------- c:\program files\DivX
2008-11-15 16:11 . 2008-11-15 16:11 d-------- c:\program files\SopCast
2008-11-12 10:00 . 2008-10-24 06:21 455,296 --a–c— c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:59 . 2008-09-04 12:15 1,106,944 --a–c— c:\windows\system32\dllcache\msxml3.dll
2008-11-10 09:35 . 2008-11-10 09:35 d-------- c:\program files\TorrentMan
2008-11-10 09:35 . 2008-11-10 09:35 d-------- c:\program files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 03:32 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-30 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-30 20:01 --------- d–h–r c:\documents and settings\Owner\Application Data\yahoo!
2008-11-30 19:59 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-11-12 17:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 14:35 --------- d-----w c:\program files\BitLord
2008-11-05 00:39 --------- d-----w c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-05 00:36 --------- d–h–w c:\program files\InstallShield Installation Information
2008-11-04 00:19 --------- d-----w c:\program files\CyberLink
2008-11-04 00:18 --------- d-----w c:\program files\The Weather Channel FW
2008-11-04 00:16 --------- d-----w c:\program files\Napster
2008-11-04 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-11-04 00:15 --------- d-----w c:\program files\MySpace
2008-11-04 00:14 --------- d-----w c:\program files\PartyGaming
2008-11-04 00:13 --------- d-----w c:\program files\Vidalia Bundle
2008-11-04 00:13 --------- d-----w c:\documents and settings\Owner\Application Data\tor
2008-11-04 00:12 --------- d-----w c:\program files\Google
2008-11-04 00:10 --------- d-----w c:\program files\Winamp
2008-11-02 03:54 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-28 00:53 --------- d-----w c:\program files\Netflix
2008-10-26 01:35 --------- d-----w c:\program files\Common Files\NSV
2008-10-25 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\espionServerData
2008-10-25 20:10 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-25 20:08 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-25 17:01 --------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2008-10-25 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-10-25 16:56 --------- d-----w c:\program files\Winamp Remote
2008-10-24 16:04 --------- d-----w c:\program files\Microsoft Works
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\SETB3C.tmp
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\SET3F2.tmp
2008-10-03 17:41 6,066,176 ----a-w c:\windows\system32\SET545.tmp
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2007-07-02 21:29 44 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat

42

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 05:47 160496 --a------ c:\progra~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PowerBar”=“c:\program files\CyberLink\DVD Solution\PowerBar.exe” [2005-06-28 110592]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-13 15360]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-13 1695232]
“Messenger (Yahoo!)”=“c:\program files\Yahoo!\Messenger\YahooMessenger.exe” [2008-11-05 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPLpr”=“c:\program files\Synaptics\SynTP\SynTPLpr.exe” [2004-11-05 98394]
“SynTPEnh”=“c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2004-11-05 688218]
“SunKist”=“c:\program files\Digital Media Reader\shwicon2k.exe” [2004-05-26 139264]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-26 81000]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2006-03-01 98304]
“TkBellExe”=“c:\program files\Common Files\Real\Update_OB\realsched.exe” [2007-01-11 185896]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Power2GoExpress”=“NA”

c:\documents and settings\Owner\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 757760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“ForceClassicControlPanel”= 1 (0x1)

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
–a------ 2004-10-18 20:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
–a------ 2005-04-15 00:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
–a------ 2005-08-05 23:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
–a------ 2004-11-03 16:03 125528 c:\program files\Common Files\AOL\1141258253\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
–a------ 2005-08-12 15:16 1121792 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
–a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2006-03-01 19:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
–a------ 2002-09-14 01:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
–a------ 2005-02-25 20:24 966656 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2007-03-14 11:33 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
–a------ 2007-01-11 13:44 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“WMPNetworkSvc”=3 (0x3)
“PrismXL”=2 (0x2)
“ose”=3 (0x3)
“odserv”=3 (0x3)
“gusvc”=3 (0x3)

43

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Common Files\AOL\Loader\aolload.exe”=
“c:\Program Files\Common Files\AOL\ACS\AOLDial.exe”=
“c:\Program Files\Common Files\AOL\ACS\AOLacsd.exe”=
“c:\Program Files\America Online 9.0\waol.exe”=
“c:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe”=
“c:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe”=
“c:\Program Files\Common Files\AOL\1141258253\EE\AOLServiceHost.exe”=
“c:\Program Files\Common Files\AOL\System Information\sinf.exe”=
“c:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe”=
“c:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe”=
“c:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe”=
“c:\Program Files\LimeWire\LimeWire.exe”=
“c:\Program Files\Messenger\msmsgs.exe”=
“c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“c:\Program Files\Winamp Remote\bin\Orb.exe”=
“c:\Program Files\Winamp Remote\bin\OrbTray.exe”=
“c:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe”=
“c:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-09 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-09 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2006-03-01 200192]
S3 AMDMSRIO;AMDMSRIO;??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys
.

        • ORPHANS REMOVED - - - -

URLSearchHooks-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
BHO-{39070b34-de03-44b9-aa07-96d7a56359c6} - c:\windows\system32\kawolumi.dll
BHO-{b408eaf6-3091-4a5c-9b66-5732570e74b7} - c:\windows\system32\kawolumi.dll
Toolbar-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
WebBrowser-{7C5C0F58-E061-457D-9033-77307F5ED00C} - (no file)
HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
HKLM-Run-salumibudi - c:\windows\system32\boserote.dll
MSConfigStartUp-Cleanup - c:\docume~1\Owner\LOCALS~1\Temp\2007517193253_mcappins.exe
MSConfigStartUp-msci - c:\docume~1\Owner\LOCALS~1\Temp\2007517193245_mcinfo.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {89240DEC-04FA-4E9B-88CE-5E910643F795} = 192.168.1.1,68.238.112.12
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\coko014g.default
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 18:46:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
--------------------- DLLs Loaded Under Running Processes ---------------------

              • ‘winlogon.exe’(740)
                c:\windows\system32\Ati2evxx.dll
                .
                Completion time: 2008-12-05 18:48:11
                ComboFix-quarantined-files.txt 2008-12-05 23:47:09

Pre-Run: 66,985,668,608 bytes free
Post-Run: 66,962,358,272 bytes free

417 — E O F — 2008-11-12 17:17:08

44

FreewheelinFrank, finally got it to run (Didn’t work the first 2 tries). Here is my log:

ComboFix 08-12-05.02 - Neil 2008-12-05 20:48:54.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.748 [GMT -5:00]
Running from: c:\sysi\ComboFix.exe
Command switches used :: c:\sysi\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Neil\Application Data\MCROSO~1.NET
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files{38C16~1
c:\program files\Common Files{F8C16~1
c:\program files\Common Files\uninstall information
c:\temp\tn3
c:\windows\system32\bgocoyvv.ini
c:\windows\system32\CMMGR32.EXE
c:\windows\system32\dobe~1
c:\windows\system32\dobe~1?dobe
c:\windows\system32\xbadd.bak1
c:\windows\system32\xbadd.ini

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_MESSAGES
-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 10:13 . 2008-12-05 10:13 d-------- c:\windows\system32\CatRoot_bak
2008-12-05 09:44 . 2008-12-05 09:44 d-------- C:\New Folder
2008-12-03 00:50 . 2008-12-03 00:50 d-------- C:\VundoFix Backups
2008-12-02 01:09 . 2008-12-02 01:09 d-------- c:\program files\Trend Micro
2008-12-01 18:18 . 2008-12-01 18:18 192,007 --a------ c:\windows\system32\g25.exe
2008-12-01 18:18 . 2008-12-01 18:18 47,598 --a------ c:\windows\system32\vfdnlmlafinitgcdy.exe
2008-11-25 11:41 . 2008-11-25 11:41 d-------- c:\program files\PhotoME
2008-11-25 11:41 . 2008-11-25 11:41 d-------- c:\documents and settings\All Users\Application Data\PhotoME
2008-11-17 14:42 . 2008-11-17 14:42 d-------- c:\windows\system32\Dell
2008-11-17 14:42 . 2008-11-17 14:42 d-------- c:\program files\Dell
2008-11-16 23:51 . 2008-11-20 12:10 d-------- c:\program files\processing-0156
2008-11-14 09:50 . 2008-11-14 09:50 d-------- c:\windows\system32\QuickTime
2008-11-14 09:50 . 2008-11-14 09:50 d-------- c:\program files\Common Files\TechSmith Shared
2008-11-14 09:50 . 2008-11-14 09:50 d-------- c:\documents and settings\All Users\Application Data\TechSmith
2008-11-14 09:49 . 2008-11-14 09:50 d-------- c:\program files\Camtasia Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 01:54 --------- d-----w c:\program files\PeerGuardian2
2008-12-06 01:53 --------- d-----w c:\documents and settings\Neil\Application Data\WTablet
2008-12-05 14:18 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-05 14:05 --------- d-----w c:\program files\Firefox
2008-12-04 15:40 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2008-12-03 18:35 --------- d-----w c:\documents and settings\Neil\Application Data\TmpRecentIcons
2008-12-03 17:41 --------- d-----w c:\program files\Malwarebytes’ Anti-Malware
2008-12-03 13:10 --------- d-----w c:\program files\Spybot
2008-12-03 09:18 --------- d-----w c:\program files\NNsquad
2008-12-01 15:47 --------- d-----w c:\program files\Trillian
2008-12-01 14:40 --------- d-----w c:\documents and settings\Neil\Application Data\OpenOffice.org2
2008-12-01 03:14 --------- d-----w c:\program files\Thunderbird
2008-11-24 17:37 --------- d-----w c:\program files\Yecho
2008-11-05 03:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 17:41 --------- d-----w c:\documents and settings\Neil\Application Data\uTorrent
2008-11-03 04:49 --------- d-----w c:\documents and settings\Neil\Application Data\Autodesk
2008-11-03 04:49 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-11-03 04:39 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-11-03 04:36 --------- d-----w c:\program files\Autodesk
2008-11-03 04:32 --------- d-----w c:\program files\Reference Assemblies
2008-11-03 03:37 --------- d-----w c:\program files\NaturalMotion
2008-11-03 03:23 --------- d-----w c:\program files\7-Zip
2008-10-28 02:11 --------- d-----w c:\program files\Steam
2008-10-27 02:32 --------- d-----w c:\program files\XUL Explorer
2008-10-26 04:15 --------- d-----w c:\documents and settings\Neil\Application Data\XULExplorer
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-20 11:22 --------- d-----w c:\program files\Apple Software Update
2008-10-20 03:03 --------- d-----w c:\program files\iTunes
2008-10-20 03:03 --------- d-----w c:\documents and settings\All Users\Application Data{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-20 03:01 --------- d-----w c:\program files\iPod
2008-10-20 02:57 --------- d-----w c:\program files\Bonjour
2008-10-20 02:55 --------- d-----w c:\program files\QuickTime
2008-10-20 02:54 --------- d-----w c:\program files\Common Files\Apple
2008-10-15 02:18 --------- d-----w c:\program files\Brother
2008-10-15 02:17 --------- d–h–w c:\program files\InstallShield Installation Information
2008-10-15 02:14 --------- d-----w c:\program files\Nuance
2008-10-15 02:14 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-10-15 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2008-10-15 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-10-15 02:13 --------- d-----w c:\program files\ScanSoft
2008-10-15 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Brother
2008-10-12 16:07 --------- d-----w c:\documents and settings\Neil\Application Data\Notepad++
2008-10-12 15:52 --------- d-----w c:\program files\Notepad++
2008-10-12 14:18 --------- d-----w c:\program files\Common Files\AliasWavefront Shared
2008-10-12 14:15 --------- d–h–w c:\program files\Zero G Registry
2008-10-12 13:41 --------- d-----w c:\program files\backburner 2
2007-01-16 17:47 87,608 ----a-w c:\documents and settings\Neil\Application Data\ezpinst.exe
2007-01-16 17:47 47,360 ----a-w c:\documents and settings\Neil\Application Data\pcouffin.sys
2008-08-28 11:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@=“{30351346-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@=“{30351347-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@=“{30351348-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@=“{3035134B-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@=“{3035134C-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@=“{3035134D-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

45

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@=“{3035134E-7B7D-4FCC-81B4-1E394CA267EB}”
[HKEY_CLASSES_ROOT\CLSID{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2006-12-06 1294336]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-13 15360]
“PeerGuardian”=“c:\program files\PeerGuardian2\pg2.exe” [2005-09-18 1421824]
“SpybotSD TeaTimer”=“c:\program files\Spybot\TeaTimer.exe” [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Versato”=“c:\program files\MagicKey\MagicKey.exe” [2001-05-03 135168]
“NvCplDaemon”=“c:\windows\System32\NvCpl.dll” [2006-10-22 7700480]
“NNma”=“c:\program files\NNsquad\nnma.exe” [2008-05-26 999479]
“SSBkgdUpdate”=“c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” [2006-10-25 210472]
“PaperPort PTD”=“c:\program files\ScanSoft\PaperPort\pptd40nt.exe” [2007-10-11 29984]
“PPort11reminder”=“c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe” [2007-08-31 328992]
“BrMfcWnd”=“c:\program files\Brother\Brmfcmon\BrMfcWnd.exe” [2008-02-19 1089536]
“ControlCenter3”=“c:\program files\Brother\ControlCenter3\brctrcen.exe” [2007-12-21 86016]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2008-09-06 413696]
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2008-10-01 289576]
“AdobeCS4ServiceManager”=“c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe” [2008-08-14 611712]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008]
“nwiz”=“nwiz.exe” [2006-10-22 c:\windows\system32\nwiz.exe]
“NvMediaCenter”=“NvMCTray.dll” [2006-10-22 c:\windows\system32\nvmctray.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-09-15 29290496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program files\SUPERAntiSpyware\SASSEH.DLL” [2006-09-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
2006-10-19 09:12 258048 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“SENTINEL”= snti386.dll
“VIDC.VQS4”= vqs4dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“RaySat_3dsmax7Server”=2 (0x2)
“mi-raysat_3dsmax8”=2 (0x2)
“maya70docserver”=2 (0x2)
“AWHelpServer”=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Trillian\trillian.exe”=
“c:\Program Files\FileZilla\FileZilla.exe”=
“c:\Program Files\uTorrent\utorrent.exe”=
“c:\Program Files\Autodesk\3ds Max 9\3dsmax.exe”=
“c:\Program Files\Autodesk\Backburner\monitor.exe”=
“c:\Program Files\Autodesk\Backburner\manager.exe”=
“c:\Program Files\Autodesk\Backburner\server.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\VirtualCanada\VirtualCanadaVirtuel.exe”=
“c:\Program Files\Crazybump\CrazyBump.exe”=
“c:\Program Files\WiFiConnector\NintendoWFCReg.exe”=
“c:\WINDOWS\system32\mmc.exe”=
“c:\Program Files\Firefox\firefox.exe”=
“c:\Program Files\NNsquad\nnma.exe”=
“c:\Program Files\Brother\Brmfl08g\FAXRX.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Autodesk\3ds Max 2009\3dsmax.exe”=
“c:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“6551:UDP”= 6551:UDP:SmartCheck
“67:UDP”= 67:UDP:DHCP Discovery Service
“1723:TCP”= 1723:TCP:@xpsp2res.dll,-22015
“1701:UDP”= 1701:UDP:@xpsp2res.dll,-22016
“500:UDP”= 500:UDP:@xpsp2res.dll,-22017
“54925:UDP”= 54925:UDP:BrotherNetwork Scanner
“5353:TCP”= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 78416]
R1 hwinterface;hwinterface;c:\windows\system32\Drivers\hwinterface.sys [2006-01-08 3026]
R1 SASDIFSV;SASDIFSV;??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2006-09-19 29184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
R2 SSIPDDP;SSIPDDP Parallel port device driver;??\c:\windows\System32\DRIVERS\SSIPDDP.SYS [2005-09-09 55296]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-11-11 1373480]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-09-15 57344]
R3 SASENUM;SASENUM;??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-15 57408]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;“c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe” [2008-03-10 65536]
S3 DCamVQ110;VQ110 Digital Video Camera;c:\windows\system32\DRIVERS\VQ110.sys [2007-01-08 130224]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-01-30 18864]
S3 ezfa;EZF Advance Cable Driver N;c:\windows\system32\drivers\ezfa.sys [2004-12-25 25596]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [2008-09-15 356434]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;“c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe” /service msvsmon80 [2005-09-23 2799808]
S4 RaySat_3dsmax7Server;RaySat_3dsmax7 Server;c:\3dsmax7\mentalray\satellite\raysat_3dsmax7server.exe [2005-04-08 65536]

Newly Created Service - PGFILTER
.
Contents of the ‘Scheduled Tasks’ folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job

  • c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - c:\windows\System32\mscoree.DLL
    TCP: {7FAF96FE-4362-4BF3-891B-1DC3A1147511} = 204.101.251.1,204.101.251.2

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.beta.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FireFox -: Profile - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\default.6w0
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Firefox\plugins\npVizible Player.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\TGEBrowser\np3DPlugin.dll
FF -: plugin - c:\program files\Yecho\np3DYecho.dll
.

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 20:53:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

c:\windows\TEMP_av_proI.tm~a02152\setup.lok 0 bytes

scan completed successfully
hidden files: 1

.
--------------------- DLLs Loaded Under Running Processes ---------------------

              • ‘winlogon.exe’(1292)
                c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll
                c:\program files\SUPERAntiSpyware\SASWINLO.dll
                .

46

------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\sessmgr.exe
c:\program files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\MagicKey\V3D.exe
c:\program files\MagicKey\Osd.exe
c:\program files\iPod\bin\iPodService.exe
.

.
Completion time: 2008-12-05 21:00:11 - machine was rebooted [Neil]
ComboFix-quarantined-files.txt 2008-12-06 02:00:07

Pre-Run: 5,974,093,824 bytes free
Post-Run: 5,832,970,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn

298 — E O F — 2008-08-28 03:04:52

47

mr_metoo You look clean now the lines I was concerned about were orphan run entries and clsid’s, although I am not sure why OTScanit did not remove them. I will check that out . Otherwise - subject to no further problems you are good

48

Thank you again for all your help and patience.

49

OK I will remove my tools now

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[]Secunia Software inspector To check your programme update status
[]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: