Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All I Want For Xmas Is This Virus Gone...


  • Please log in to reply
26 replies to this topic

#1 jenandmen

jenandmen

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 23 December 2007 - 02:06 PM

I've done all the steps required before posting. Updated IE and Windows, run McAfee, Adaware, Spybot, SuperAntiSpyWare, and HiJack this log is below. We are still getting pop-up windows, although they are now blank. Also error messages and an icon in the tray that indicates to me that a worm is sending (or attempting to send) emails. Computer is working really hard, and fan runs nearly all the time.

Can you help?
Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:15 AM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\DISC\DISCover .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Zune\ZuneLauncher .exe
C:\Program Files\SecCenter\scprot4 .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\mljgh.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [vizyzyby] rundll32.exe "C:\Program Files\vizyzyby\fqruxers.dll",Init
O4 - HKLM\..\Run: [zepofslu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zepofslu.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [cjgnstor] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\cjgnstor.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [D1R39kqfG4] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX« - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\My HP Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11188 bytes

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:07 PM

Posted 09 January 2008 - 03:59 AM

Hi and welcome,

Sorry for delay. We are burried in logs.

If you still need help please post a fresh hijackthis log here.
Also let me know if things are still the same.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 January 2008 - 09:52 PM

Thanks Blender!
Things HAVE changed since before xmas. I ended up needing to do a system recovery (I couldn't even GET to Safe mode) SInce the recovery, I have updated Windows XP and IE along with a few other little things. When I run SuperAntiSpyWare, I got notice that there were some Vundo variant file found. It seems unable to delete them, since they show up again. I was unable to reinstall McAfee, and thought it may be because of conflicts with some of the anti-spyware software, so I tried to remove it all, and try again. Many of the programs that were running, were not showing up in the typical add/remove programs tool within the control panel. I found a help file that said I should download Windows Install Clean Up program, but it doesn't seem to have cleaned up the last bits either. Regardless, even after removing adaware, superantispy and spybot, Mcafee still wont complete the installation. Thank you for your help!!!! Here is my latest Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:54 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\ehome\ehtray .exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: McAfee Application Installer Cleanup (0025571199929699) (0025571199929699mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\002557~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6646 bytes

#4 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 January 2008 - 09:56 PM

I forgot to say that the virus-initiated email problem seems to have been solved by the recovery process. I've not been notified of any emails that "couldn't be sent" or seen any logs of emails looking like spam. However, since I am not sure which one of the anti-spyware programs generated those alerts, and some of them seem to now be disabled or removed, it is possible the email problem continues.
Looking forward to your reply! Hopefully it is not a huge problem.
Jenni

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:07 PM

Posted 10 January 2008 - 04:22 AM

Hi,

It is fairly likely your email issue continues.
The infection I do see includes a varient of Virtumonde that replaces a bunch of your startups with infected versions.
There are usually other malwares involved including email worms and more baddies.
Also most likely what is preventing you from re-installing your McAfee.

We shall see.

Please visit this webpage for instructions for downloading ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Once you have downloaded/ran the program according to instructions please post back here the resulting log.

Let me know how system is running at this point.
We will have more work to do!

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 11 January 2008 - 12:23 AM

here is the combofix report and a new HiJack this log:
I ran it combofix twice, as the first time I left the computer to finish and when I came back a weird window asking about my HP updates wouldn't close. I rebooted, and combofix started up again and instead of finishing, responded that the search string was too long.
I re-ran Combofix under supervision...once it finished I go the same message. So I searched for the log and here it is. Superantispyware is continuing to run even though I THOUGHT I removed it.

ComboFix 08-01-10.2 - HP_Administrator 2008-01-10 22:03:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Windows\Creator\Remind_XP.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.exe
.
---- Previous Run -------
.
C:\Program Files\Advanced Registry Optimizer\aro .exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\DISC\DISCover .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Temporary
C:\Program Files\Zune\ZuneLauncher .exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\b.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\Windows\Creator\Remind_XP.exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\IA
C:\WINDOWS\PerfInfo
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.exe
C:\WINDOWS\system32\nehshdyc.dll
C:\WINDOWS\system32\vhtobnaw.dll
C:\WINDOWS\system32\wanbothv.ini
C:\WINDOWS\system32\xgtaitqq.exe
D:\Autorun.inf

<pre>
C:\Program Files\AIM6\aim6 .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\DISC\DISCover .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				  .exe ---> HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe ---> HPWuSchd2.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler .exe ---> DMAScheduler.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip .exe ---> QooBox
C:\Program Files\Zune\ZuneLauncher .exe ---> QooBox
C:\WINDOWS\CREATOR\Remind_XP .exe ---> Remind_XP.exe
C:\WINDOWS\ehome\ehtray .exe ---> QooBox
C:\WINDOWS\SMINST\RECGUARD .EXE ---> RECGUARD.EXE
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService




((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-10 21:43 . 2008-01-10 21:43 34 --a------ C:\WINDOWS\system32\0d4f30c2
2008-01-10 21:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 21:14 . 2008-01-10 21:14 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Sonic
2008-01-10 21:13 . 2008-01-10 21:13 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2008-01-09 20:51 . 2006-10-09 19:50 <DIR> d-------- C:\Documents and Settings\Danny.HALLWAY\WINDOWS
2008-01-09 20:51 . 2007-06-14 15:40 <DIR> d-------- C:\Documents and Settings\Danny.HALLWAY\Application Data\MySpace
2008-01-09 20:51 . 2006-10-09 19:52 <DIR> d-------- C:\Documents and Settings\Danny.HALLWAY\Application Data\Intuit
2008-01-09 20:51 . 2007-06-14 15:40 <DIR> d-------- C:\Documents and Settings\Danny.HALLWAY\Application Data\HP
2008-01-09 18:12 . 2008-01-10 21:41 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-01-09 18:12 . 2008-01-09 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 18:05 . 2008-01-09 18:05 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-09 18:05 . 2008-01-09 18:05 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-09 17:16 . 2008-01-09 17:16 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee
2008-01-09 15:44 . 2008-01-09 15:44 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-01-08 22:42 . 2007-02-28 02:10 2,180,352 --a------ C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-08 22:42 . 2007-02-28 02:08 2,136,064 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-08 22:42 . 2007-02-28 01:38 2,057,600 --a------ C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-08 22:42 . 2007-02-28 01:38 2,015,744 --a------ C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-08 22:19 . 2006-05-15 23:25 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-01-08 22:19 . 2006-06-03 21:29 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll
2008-01-08 22:12 . 2003-05-23 02:00 158,976 -ra------ C:\WINDOWS\system32\drivers\NETR33X.sys
2008-01-08 22:06 . 2008-01-08 22:06 1,867 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_RR542AA-ABA a1616n_YC_0Pavi_QMXX642_E64NAemMPA4_48_IAsterope3_SECS_V1.0_B3.19_T060905_WXP2_L409_M960_J250_7Intel_8Pentium D_92.8_#070102_N10EC8139_Z14F12F20_G10025A61_OTSSTcorp CD DVDW TS-H652L_DHWP2647.MRK
2008-01-08 22:04 . 2006-10-09 19:50 <DIR> d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2008-01-08 22:04 . 2007-06-14 15:40 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MySpace
2008-01-08 22:04 . 2006-10-09 19:52 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2008-01-08 22:04 . 2007-06-14 15:40 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\HP
2008-01-08 22:02 . 2006-10-09 19:50 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-01-08 22:02 . 2006-10-09 20:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-01-08 22:02 . 2007-06-14 15:40 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\MySpace
2008-01-08 22:02 . 2006-10-09 19:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-01-08 22:02 . 2007-06-14 15:40 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\HP
2008-01-08 21:48 . 2004-08-04 00:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-08 21:48 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-08 21:48 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-08 21:11 . 2008-01-10 22:03 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-01-08 09:57 . 2007-01-01 20:46 281 --ah----- C:\boot.ini.SAB
2008-01-08 09:51 . 2008-01-08 09:51 <DIR> d-------- C:\Documents and Settings\Alex\Application Data\SUPERAntiSpyware.com
2007-12-23 11:49 . 2007-12-23 11:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 11:34 . 2007-12-23 11:34 <DIR> d-------- C:\Documents and Settings\HP ADMINISTRATOR\Application Data\SUPERAntiSpyware.com
2007-12-23 10:41 . 2008-01-10 22:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-23 10:41 . 2007-12-23 10:41 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\SUPERAntiSpyware.com
2007-12-23 10:41 . 2007-12-23 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-22 11:29 . 2007-12-22 11:29 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-12-22 11:03 . 2007-12-22 11:15 <DIR> d-------- C:\Program Files\Kuma Games
2007-12-21 16:50 . 2008-01-09 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 13:59 . 2007-12-28 14:53 <DIR> d-------- C:\VundoFix Backups
2007-12-21 11:02 . 2007-12-21 11:03 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-21 11:00 . 2008-01-09 19:09 <DIR> d-------- C:\Program Files\McAfee
2007-12-21 11:00 . 2007-12-21 11:13 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-21 10:51 . 2008-01-09 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-20 21:54 . 2007-12-20 21:54 55,893 --a------ C:\aqlwrv.exe
2007-12-20 21:54 . 2007-12-20 21:54 32,256 --a------ C:\WINDOWS\httpx2.dll
2007-12-20 21:54 . 2007-12-20 21:54 2 --a------ C:\223290083
2007-12-20 21:53 . 2007-12-24 15:06 <DIR> d-------- C:\Program Files\Iquegdrp
2007-12-20 21:46 . 2007-12-20 21:46 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-12-20 21:46 . 2007-12-20 21:46 17,202 --a------ C:\WINDOWS\DIIUnin.dat
2007-12-20 21:46 . 2007-12-20 21:46 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-12-20 21:45 . 2004-07-10 12:37 325,841 --a------ C:\WINDOWS\AW_1600x1200.jpg
2007-12-20 21:23 . 2007-12-22 15:55 <DIR> d-------- C:\Program Files\Diablo II
2007-12-19 15:12 . 2007-12-19 15:12 <DIR> d-------- C:\WINDOWS\ffzo
2007-12-19 15:12 . 2007-12-24 10:44 <DIR> d-------- C:\Program Files\Common Files\ffzo
2007-12-19 14:50 . 2007-12-21 13:04 331,776 --a------ C:\WINDOWS\enexp .exe
2007-12-19 12:46 . 2007-12-19 13:35 <DIR> d-------- C:\temp\J--
2007-12-19 12:45 . 2007-12-19 12:45 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\dvdcss
2007-12-19 12:39 . 2007-12-19 16:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-19 12:39 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2007-12-19 12:39 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2007-12-17 19:48 . 2007-12-17 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19, on 2008-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6064 bytes

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:07 PM

Posted 11 January 2008 - 02:46 AM

Hi,

Thanks for the additional info. WE'll need to make another run but need to see the rest of the log first.

Looks like part of the ComboFix log got cut off.

Can you double check please and post the remaining starting here:

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

Log should be located here:

C:\combofix.txt.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 11 January 2008 - 06:16 PM

THere is nothing else in the report. I even ran it again...
as I mentioned, during the last stage after the machine reboots and the combofix screen says "preparing report" there is a message after that...
Findstr: search string too long (This is while the blue dos window is titled "3m" so I am guessing it is related to the missing log.

THIS time after running combofix, I am getting pop up messages that rundll had an error loading. The specified module cannot be found. (I caught a glimpse of which file once when it flashed on the screen and it was one of the virus files that is causing the problem.) But now I am getting error pop up after error pop up...every few seconds.
thanks

#9 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 17 January 2008 - 12:03 PM

I know you are busy.
Don't know if I should just sit on my hands or jump up and down yelling, "Pick me! Teacher!!! Over Here!!!!"

I was never very good at keeping my mouth shut...
thank you!!
:thumbsup:
Jenni

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:07 PM

Posted 19 January 2008 - 08:21 AM

Hey,

Sorry for delay. I missed the notification notice that you replied.
If I do this again -- shoot me a PM. I get about 300 emails a day for various lists, forums and stuff I belong to so it is easy to accidently skip the important stuff. :blink:
I check in here daily so a PM will get me. (popup)

Anyways... you still getting those rundll errors steady?

Since it has been a few days -- can you grab a new Combofix, run it while offline and post the new log it gives please?

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This is a newer version of combofix which includes some improvements on fixes, updates, etc.
If any errors running it -- please note them best you can in your next reply.
The tutorial is a bit different too which includes installing recovery console. Please don't skip that part.

Let me know how it goes.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 20 January 2008 - 08:57 PM

Thanks for your help Blender.
I downloaded the newer combofix and ran it with firewall off and internet disabled. I also installed recovery console (I think)
When I ran combo fix it spent hours and hours deleting a bunch of tmp files. Then it stalled. So I restarted the machine and re-ran combofix. It seemed to delete the same files again, but didn't take so long and rebooted on its own. However the same problem happened with the "findstrng too long" and no 3M report showing in the log. I am not getting the error messages that I had last week anymore.
I've tried to both put the log in this post and attach it...and it is too long for both! Trying now to upload it as a compressed folder.
Thanks

Attached Files



#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:07 PM

Posted 20 January 2008 - 09:36 PM

Hi,

Long log. :wacko:
That is because of the hundreds of pos##.tmp files plastered all over the place as a result of the infection.

What do you mean by things not working correctly yet. Can you elaborate more on this?

Can you post a fresh hijackthis log please?

I also installed recovery console (I think)


I think you did -- otherwise it would tell me at begining of log it was not installed.
You should see now at boot a black screen for about 5 seconds -- 2 boot choices.
1st one being your XP (selected by default)
2nd one being the recovery console.
It stays for 5 seconds and if you don't choose anything -- it simply boots to XP as usual.

We installed recovery console as an added safety net for us -- these malwares are getting worse now and if it trashes something critical -- we have something to work with.

I'm going to ask sUBs (ComboFix creator) about those "findstrng too long" errors.
He may pop in. If he does -- follow his instructions. :thumbsup:
Don't run Combofix again yet till instructed please.

Thanks :blink:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 22 January 2008 - 11:06 AM

By "not working" I just meant the "fndstrg too long" message, and missing 3m report...
One other question. This is my teenagers' computer. They are still using it to play online games. Are they putting other computers at risk of infection or causing more damage to this one by continuing to play?
Your answer will certainly carry more weight than mine!

Here is the HiJack This Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:59, on 2008-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKUS\S-1-5-21-4177565785-1466574445-3010575524-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Danny')
O4 - S-1-5-21-4177565785-1466574445-3010575524-1008 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Danny')
O4 - S-1-5-21-4177565785-1466574445-3010575524-1008 User Startup: hc_tray.lnk = C:\Program Files\Kuma Games\hcsystray\hc_tray.exe (User 'Danny')
O4 - S-1-5-21-4177565785-1466574445-3010575524-1008 User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Danny')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6652 bytes

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:07 PM

Posted 23 January 2008 - 02:28 AM

Hey there :blink:

Sorry for delay. Work ruled again.

I think sUBs fixed up the "findstr too long" error.
Can you download the new combofix and run it again please? Post the log it generates?

Any one of these links should work:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Preferrable while offline and background protection apps disabled.

Let me know if you get any errors. Describe best you can please.

-----------------------

This is my teenagers' computer. They are still using it to play online games. Are they putting other computers at risk of infection or causing more damage to this one by continuing to play?


Till we get it cleaned up and your protection programs working properly you are most certainly at risk of more damage, more malware being installed and so on because your protection is not working correctly at this point.
We can reduce the risks by keeping the machine offline as much as possible till we get the rest of the malwre removd and McAfee working again.
Keeping it online with broken protection is kinda like leaving your back door at home open then taking off on vacation!

I know guys, not much fun huh!
Shouldn't be too much longer for your Mom & I to get this fixed up so you can carry on regular activities-- for now though it would be safer to keep activities to a mimimum to reduce risk of more damage.

--------------

Speaking of protection...
You had McAfee..
Is that provided by your ISP or purchased from the McAfee site itself?
Reason I ask is because we may have to use a tool to remove it all so re-installation will work right.
Parts of McAfee was affected by Vundo and I don't really trust a "repair" job. Id rather start with a fresh install.

Thanks! :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 jenandmen

jenandmen
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 23 January 2008 - 07:55 PM

I downloaded and ran combofix. At the very end again it said "findstrg too long" but then almost immediately said it was preparing the report. I see the 3m report is in fact included now. I attached it again, since it seemed long with lots of POS files listed.

Regarding McAfee...it is a download via Comcast and I can easily re-download it.

Thanks so much!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users