1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Zedo.com and other random popups-HJT log attached

Discussion in 'Virus & Other Malware Removal' started by rendezvous, Sep 28, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Hi,

    My computer got badly infected by Adware/Spyware recently.
    I saw a similar problem reported by another person in this forum - http://forums.techguy.org/malware-removal-hijackthis-logs/754004-random-pop-up-searches.html
    The issues with my computer are somewhat same.
    However some more details of the symtoms are provided below.
    I ran McAfee scan after I got infected and McAfee was able to remove VnR Block.exe and GetPack.exe from Program files. However I noticed that they are present in the HJT log.
    Even after that the following exist-
    1) Random pages getting opened on both my browsers (IE6 and FF 2.0.0.17)
    2) Some of the random pages opening are zedo.com, interplusclick, searchfeed.com etc
    3) Google.com opens a weird page with two search fields and logos, also noticed the URL got modified to google.co.uk
    4) IE 6 crashing everytime after a few minutes of its launch with some Visual C++ runtime error.
    5) Random malware removal ads on any site I visit with these browsers soliciting download as my system is infected. (I haven't clicked on them though)
    6) System has slowed down
    Attached herewith is the Hijackthis log.
    Please advise!

    Thanks much!
    R
     

    Attached Files:

  2. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Hi,

    I haven't got a reply yet, please look into my issue and provide some assistance. The issues are driving me insane.

    Thanks!
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.
     
  4. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Hi,

    Thanks for your reply.

    Did as instructed; the log is given below.

    Also attached is the list of files mbam could not remove in the form of a screenshot.

    Upon reboot got an error message -
    "Error loading C:\WINDOWS\system32\ctolrqei.dll
    The specific module could not be found"

    Is that a required dll file?

    Awaiting next instruction.

    -R

    ****
    Log

    Malwarebytes' Anti-Malware 1.28
    Database version: 1225
    Windows 5.1.2600 Service Pack 2

    9/30/2008 9:48:44 AM
    mbam-log-2008-09-30 (09-48-44).txt

    Scan type: Quick Scan
    Objects scanned: 47903
    Time elapsed: 5 minute(s), 43 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 7
    Registry Keys Infected: 24
    Registry Values Infected: 6
    Registry Data Items Infected: 2
    Folders Infected: 5
    Files Infected: 32

    Memory Processes Infected:
    C:\Program Files\GetModule\GetModule23.exe (Adware.ISM) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\donuqofa.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\iifdBqPI.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\fwimzm.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\byXNdbCU.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\jmhivitx.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\qatxlj.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Program Files\OINAnalytics\OINAnalytics.dll (Adware.ClickSpring) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a050d08-0995-40a9-9cf0-17a3b8c1dbed} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{3a050d08-0995-40a9-9cf0-17a3b8c1dbed} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxndbcu (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb172147-b11b-4026-b4c9-2ff2135adbc1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{bb172147-b11b-4026-b4c9-2ff2135adbc1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.ClickSpring) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.ClickSpring) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\oincs.oinanalytics (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\oincs.oinanalytics.1 (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{f7fa36a4-3177-4b57-b9c1-e9c5b2e0d3a9} (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oinanalytics (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\OINAnalytics.DLL (Adware.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c27210f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{453f51e8-fef5-4c54-b136-944bf434360c} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule23 (Adware.ISM) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getpack21 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnrblock21 (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm1f141293 (Trojan.Agent) -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iifdbqpi -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifdbqpi -> Delete on reboot.

    Folders Infected:
    C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\OINAnalytics (Trojan.Agent) -> Delete on reboot.
    C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\iifdBqPI.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\IPqBdfii.ini (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\IPqBdfii.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\byXNdbCU.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\qatxlj.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\donuqofa.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\afoqunod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gxghuukq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\qkuuhgxg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fwimzm.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\jmhivitx.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Program Files\GetModule\GetModule23.exe (Adware.ISM) -> Quarantined and deleted successfully.
    C:\Program Files\OINAnalytics\OINAnalytics.dll (Adware.ClickSpring) -> Delete on reboot.
    C:\WINDOWS\faceback.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gprslpbf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wnmlkbwr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dsurpq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\uqsfklgy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wvUKdDSm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xvvqol.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\RB\Local Settings\Temp\gettpa221.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
    C:\Documents and Settings\RB\Local Settings\Temp\gettpa421.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
    C:\Program Files\OINAnalytics\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\iCheck\iCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\GetModule\ozadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ctolrqei.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM1f141293.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM1f141293.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
     

    Attached Files:

  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    next step

    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  6. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    With reference to your #2 "Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply"
    - Is this permanent or just for the time being?

    And the missing dll- is it required?

    In another update: My McAfee captured a Trojan today "Vundo"
     
  7. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Quick question after reading the tutorial on Installing Windows Recovery Console-
    1) I may have lost the Windows CD, my system came pre-installed with an image of Win XP. Is there any alternative?
    2) I see a folder i386 under C drive on my system. Can that help in installing the Recovery Console?

    thnx!
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    follow the instructions on bleeping computer about installing recovery console from the downloaded files from microsoft


    the missing dll is a vundo file with its start up still enabled and we need to use combofix to get that

    The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

    1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

    2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

    Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
    Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

    Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

    Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

    Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

    Insert a game cd or software cd, and Windows might automatically begin the installation setup.

    Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.
     
  9. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Here's the Combofix log.

    ComboFix 08-10-01.02 - RB 2008-10-01 21:47:50.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.653 [GMT -7:00]
    Running from: C:\Documents and Settings\RB\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\RB\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\WINDOWS\system32\qonwygva.ini
    C:\WINDOWS\system32\ufthucfb.ini
    .
    ((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
    .
    2008-09-30 09:38 . 2008-09-30 09:38 <DIR> d-------- C:\Documents and Settings\RB\Application Data\Malwarebytes
    2008-09-30 09:37 . 2008-09-30 09:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-30 09:37 . 2008-09-30 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-30 09:37 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-30 09:37 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-29 18:23 . 2008-09-29 18:23 101,888 --a------ C:\WINDOWS\system32\pevcfjkf.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-28 06:09 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-09-28 04:37 --------- d-----w C:\Program Files\RGB
    2008-09-24 17:23 --------- d-----w C:\Documents and Settings\RB\Application Data\Skype
    2008-09-13 18:46 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2008-09-12 15:41 --------- d-----w C:\Program Files\McAfee
    2008-08-26 08:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-08-26 08:14 --------- d-----w C:\Program Files\Real
    2008-08-26 08:14 --------- d-----w C:\Program Files\Common Files\xing shared
    2008-08-26 08:14 --------- d-----w C:\Program Files\Common Files\Real
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
    2008-06-20 01:45 61,224 ----a-w C:\Documents and Settings\RB\GoToAssistDownloadHelper.exe
    2006-04-01 17:34 0 ---ha-w C:\Documents and Settings\All Users\Application Data\gwseh.dat
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 57,344 2005-06-07 07:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
    ----a-w 185,896 2007-02-21 03:49:59 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
    ----a-w 185,896 2008-08-26 08:14:14 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    ----a-w 106,496 2005-08-31 17:06:18 C:\Program Files\Corel\Corel Photo Album 6\bak\MediaDetect.exe
    ----a-w 460,784 2007-03-15 18:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe
    ----a-w 3,739,648 2007-01-01 21:22:02 C:\Program Files\Google\Google Talk\bak\googletalk.exe
    ----a-w 3,739,648 2007-01-01 21:22:02 C:\Program Files\Google\Google Talk\googletalk.exe
    ----a-w 68,856 2007-07-14 04:36:22 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
    ----a-w 83,608 2007-03-14 10:43:44 C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe
    ----a-w 98,304 2006-04-01 17:30:14 C:\Program Files\QuickTime\bak\qttask.exe
    ----a-w 761,947 2006-03-08 19:48:02 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
    ----a-w 761,947 2006-03-08 19:48:02 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    ----a-w 4,670,968 2007-01-19 20:49:28 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE
    ----a-w 1,392,640 2007-03-17 01:10:54 C:\WINDOWS\system32\bak\WLTRAY.exe
    ----a-w 1,392,640 2007-03-17 02:10:54 C:\WINDOWS\system32\WLTRAY.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [N/A]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" [N/A]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 1392640]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-26 185896]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
    Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
    Kodak EasyShare software.lnk - C:\Installablessssssssssssssssss\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=qatxlj.dll
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk.disabled]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk.disabled
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnk.disabledCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Installablessssssssssssssssss\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "C:\\Program Files\\America Online 9.0\\waol.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);C:\WINDOWS\system32\Drivers\NEOFLTR_600_13073.SYS [2008-04-30 64160]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3862c156-2d32-11dd-80c9-00038a000015}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\RB\Application Data\Mozilla\Firefox\Profiles\sly86jlg.default\
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-01 21:49:25
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2008-10-01 21:50:59
    ComboFix-quarantined-files.txt 2008-10-02 04:50:54
    Pre-Run: 4,095,741,952 bytes free
    Post-Run: 4,099,227,648 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    153 --- E O F --- 2008-08-24 17:54:05
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
     

    Attached Files:

  11. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Here's the outcome of the Combofix scan-

    I didn't find anything of the sort "C:\QooBox\ named something like [38][email protected]" as you mentioned in your instructions.
    However I have zipped the entire QooBox and uploaded it on spykiller.
    http://thespykiller.co.uk/index.php/topic,7105.0.html - link to my post.

    Post-scan when I re-enabled McAfee it detected a Potentially Unwanted Program with details as below-

    "About this Potentially Unwanted Program
    Name: Tool-NirCmd
    Location: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP256\A0027859.com"


    Should I remove this program or trust it?

    New Combofix log-

    ComboFix 08-10-01.02 - RB 2008-10-05 11:49:08.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.654 [GMT -7:00]
    Running from: C:\Documents and Settings\RB\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\RB\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\pevcfjkf.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
    .

    2008-09-30 09:38 . 2008-09-30 09:38 <DIR> d-------- C:\Documents and Settings\RB\Application Data\Malwarebytes
    2008-09-30 09:37 . 2008-09-30 09:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-30 09:37 . 2008-09-30 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-30 09:37 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-30 09:37 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-04 01:43 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2008-09-28 06:09 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-09-28 04:37 --------- d-----w C:\Program Files\RGB
    2008-09-24 17:23 --------- d-----w C:\Documents and Settings\RB\Application Data\Skype
    2008-09-12 15:41 --------- d-----w C:\Program Files\McAfee
    2008-08-26 08:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-08-26 08:14 --------- d-----w C:\Program Files\Real
    2008-08-26 08:14 --------- d-----w C:\Program Files\Common Files\xing shared
    2008-08-26 08:14 --------- d-----w C:\Program Files\Common Files\Real
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
    2008-06-20 01:45 61,224 ----a-w C:\Documents and Settings\RB\GoToAssistDownloadHelper.exe
    2006-04-01 17:34 0 ---ha-w C:\Documents and Settings\All Users\Application Data\gwseh.dat
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 57,344 2005-06-07 07:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

    ----a-w 185,896 2007-02-21 03:49:59 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
    ----a-w 185,896 2008-08-26 08:14:14 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    ----a-w 106,496 2005-08-31 17:06:18 C:\Program Files\Corel\Corel Photo Album 6\bak\MediaDetect.exe

    ----a-w 460,784 2007-03-15 18:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

    ----a-w 3,739,648 2007-01-01 21:22:02 C:\Program Files\Google\Google Talk\bak\googletalk.exe
    ----a-w 3,739,648 2007-01-01 21:22:02 C:\Program Files\Google\Google Talk\googletalk.exe

    ----a-w 68,856 2007-07-14 04:36:22 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

    ----a-w 83,608 2007-03-14 10:43:44 C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe

    ----a-w 98,304 2006-04-01 17:30:14 C:\Program Files\QuickTime\bak\qttask.exe

    ----a-w 761,947 2006-03-08 19:48:02 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
    ----a-w 761,947 2006-03-08 19:48:02 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    ----a-w 4,670,968 2007-01-19 20:49:28 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

    ----a-w 1,392,640 2007-03-17 01:10:54 C:\WINDOWS\system32\bak\WLTRAY.exe
    ----a-w 1,392,640 2007-03-17 02:10:54 C:\WINDOWS\system32\WLTRAY.EXE

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [N/A]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" [N/A]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 1392640]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-26 185896]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
    Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
    Kodak EasyShare software.lnk - C:\Installablessssssssssssssssss\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 176128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk.disabled]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk.disabled
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnk.disabledCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Installablessssssssssssssssss\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "C:\\Program Files\\America Online 9.0\\waol.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);C:\WINDOWS\system32\Drivers\NEOFLTR_600_13073.SYS [2008-04-30 64160]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3862c156-2d32-11dd-80c9-00038a000015}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-05 11:50:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-05 11:52:11
    ComboFix-quarantined-files.txt 2008-10-05 18:52:04

    Pre-Run: 4,060,631,040 bytes free
    Post-Run: 4,036,730,880 bytes free

    136 --- E O F --- 2008-10-03 16:06:55

    New Hijackthis log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:58:49 PM, on 10/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Installablessssssssssssssssss\Kodak EasyShare software\bin\EasyShare.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Documents and Settings\RB\Desktop\HiJackThis_v2\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Installablessssssssssssssssss\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.gmail.com
    O15 - Trusted Zone: http://us.mcafee.com
    O15 - Trusted Zone: remote.schwab.com
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.schwab.com/svordp/,DanaInfo=terminal.schwab.com+msrdp.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-6a5adb350c7b6e8e.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remote.schwab.com/dana-cached/setup/JuniperSetupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4CE19C68-46D8-4457-ACA7-69FCD10AF56B}: NameServer = 4.2.2.2,4.2.2.3
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6856 bytes
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    that looks ok now
    this will also get rid of the mcafee warning

    *Follow these steps to uninstall Combofix and tools used in the removal of malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


    I urge you to consider purchasing the protection component in Malwarebytes to prevent further infections of this nature
    Open Malwarebytes Antimalware, select the protection tab, press test to see if your system will benefit from it & if it says yes, then you can press the purchase button
     
  13. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Hi Derek,

    I figure out where the files are which you had asked me to upload earlier but I couldn't as I didn't find them.Do you want to have a look at those?

    Please let me know how to enable the autoplay feature and how to delete Windows recovery console. from my hard disk.
    I will update you about the other things you asked me to do in the evening.

    Thanks so much!
    R
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    don't worry about the files.They were in the qoobox zip

    I don't advise removing the recovery console as it enables lots of repairs to be done if needed and only adds about 2 seconds to boot time

    I strongly suggest leaving autoruns disabled for safety

    The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

    1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

    2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

    Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
    Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

    Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

    Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

    Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

    Insert a game cd or software cd, and Windows might automatically begin the installation setup.

    Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, if you really must have it enabled

    Go here and download TweakUI (lower down on the page) and click the downloaded file to install it. Then go to Start - Programs - Powertoys for Windows XP - TweakUI for Windows XP.

    In the left column expand the list (the "+" symbols) for My Computer - Autoplay.

    Click Types, and place a check next to "Enable Autoplay for removable drives. To be sure of success, if you already know the drive letter that the device gets assigned also click Drives, and place a check in that drive letter as well. Click Apply/OK to close the display.

    Although the changes may take immediate effect you may also need to reboot to complete the changes.
     
  15. rendezvous

    rendezvous Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    55
    Hi Derek,

    Will there be any problem if I leave the Combofix on my machine without uninstalling it?

    I won't be deleting recovery console and enable autorun of removable drives immediately but would like to get the instructions all the same.

    Thanks much!
    R
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754221

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice