Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Trojan Removal Help


  • This topic is locked This topic is locked
14 replies to this topic

#1 andkar

andkar

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 23 February 2008 - 07:46 PM

Hello,

I've been trying to remove the Winfixer/Virtumonde Trojan from my computer for some time (I'm running XP on an HP Pavilion zv6000). I've followed the self help thread exactly (www.bleepingcomputer.com/forums/topic18610.html), but the file C:\windows\system32\ssqppqp.dll can't be removed by Vundo Fix, and the VirtumundoBegone program is ineffectual. When I start my computer, Avast detects a problem with Win32:NTRootKit-B, and Spybot will routinely find and delete instances of Virtumonde as .dll's and USER keys, but they keep recurring. I've scanned with HijackThis and will post the log below.

Thank you in advance for your help; this has been a very frustrating experience that I'm eager to resolve.

-k-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:31 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINDOWS\system32\ssqppqp.dll
O2 - BHO: (no name) - {250197c7-7204-40b8-85d0-4831fa4e0e5a} - (no file)
O2 - BHO: (no name) - {41D484D5-4087-4B9C-94E0-15C5A6D65DFA} - C:\WINDOWS\system32\vturo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {589859dc-e2b2-4571-b8f4-f1c356365dd8} - (no file)
O2 - BHO: (no name) - {59683AD6-2182-4EBD-AEA1-5380A9107014} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {607E079C-A39C-4902-8CDA-34052971D500} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8160700E-7A2D-492A-A63C-E3EC203B4E89} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: (no name) - {874EC264-BCF2-4DCE-BA27-0782AE40C392} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: {a0f630fc-ebab-6a1b-fd14-021babe62689} - {98626eba-b120-41df-b1a6-babecf036f0a} - C:\WINDOWS\system32\ojbcduag.dll (file missing)
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvmuj.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvcaw.dll,startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [75a17511] rundll32.exe "C:\WINDOWS\system32\mafwkcaf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172339201656
O21 - SSODL: zip - {761344cc-157b-4981-988f-eaaf16a29325} - C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

--
End of file - 7724 bytes

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 24 February 2008 - 09:25 AM

Hi andkar and welcome to Bleeping Computer.
I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Starbuck

BBPP6nz.png


#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 25 February 2008 - 05:43 PM

Hi andkar
Sorry to have kept you waiting.

Step 1
Please disable Spybot S&Dís TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.

Reboot the computer.

Step 2
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. This may cause it to stall

In your next reply, please submit:
The ComboFix.txt
and a new HJT log.

Thanks.

BBPP6nz.png


#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:12:33 PM

Posted 03 March 2008 - 12:37 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 13 March 2008 - 07:37 AM

reopened

#6 andkar

andkar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 13 March 2008 - 08:33 AM

I followed the instructions given above for disabling SpyBot, but it still came up after I ran ComoFix. Furthermore, the instructions for how to install a windows backup file with ComboFix did not work as described in the instruction file - instead, it opened the combofix DOS window and appeared to run the program. Anyhow, I have the logs from both ComboFix and HijackThis, posted below.

::::::::COMBOFIX:::::::::::

ComboFix 08-03-10.1 - Lori Schmeck 2008-03-12 23:39:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT -4:00]
Running from: C:\Documents and Settings\Lori Schmeck\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\fiqyokhv.ini
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\ssqppqp.dll
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wscmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_NTLOAD
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-02-23 16:49 . 2008-02-23 17:34 354 --ahs---- C:\WINDOWS\system32\jcsfxvue.ini
2008-02-19 20:28 . 2008-02-19 20:33 354 --ahs---- C:\WINDOWS\system32\xdhglxtw.ini
2008-02-19 19:42 . 2008-02-23 19:11 <DIR> d-------- C:\VundoFix Backups
2008-02-16 21:56 . 2008-02-16 21:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 21:56 . 2008-02-16 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 16:50 . 2008-02-16 16:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-16 16:50 . 2007-12-04 09:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-16 16:50 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-16 16:50 . 2007-12-04 08:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-16 16:50 . 2007-12-04 10:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-16 16:50 . 2007-12-04 10:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-16 16:50 . 2007-12-04 10:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-16 16:50 . 2007-12-04 10:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-16 16:50 . 2007-12-04 10:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-15 15:19 . 2008-02-15 15:19 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-02-15 14:27 . 2008-02-15 15:15 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-02-15 14:26 . 2008-02-15 15:18 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-02-14 12:41 . 2008-02-14 12:41 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-13 15:02 . 2008-02-13 15:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 15:02 . 2008-02-13 15:02 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 00:06 --------- d-----w C:\Program Files\Trend Micro
2008-02-20 00:29 --------- d-----w C:\Program Files\Java
2008-02-17 01:33 --------- d-----w C:\Program Files\BitComet
2008-02-15 19:12 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Lavasoft
2008-02-15 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 17:16 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Intuit
2008-02-14 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 16:40 --------- d-----w C:\Program Files\Quicken
2008-02-14 16:19 --------- d-----w C:\Program Files\TurboTax
2008-02-13 17:53 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-10 17:29 --------- d-----w C:\Program Files\PDF-XChangeSDKEU
2008-02-10 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-10 17:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-10 17:18 --------- d-----w C:\Program Files\IrfanView
2008-01-22 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Progeny
2008-01-19 21:29 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Individual Software
2008-01-02 00:08 416 -c--a-w C:\Documents and Settings\Lori Schmeck\Application Data\wklnhst.dat
2007-04-02 22:09 9,216 -csha-w C:\Program Files\Thumbs.db
2006-07-31 23:59 162,399 ----a-w C:\Program Files\photo1.jpg
2006-07-31 23:58 1,192,318 ----a-w C:\Program Files\photos.jpg
2006-07-27 22:29 905,728 ----a-w C:\Program Files\iview398.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{182C7ED7-E56D-4509-9D9B-AC49318D9895}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{250197c7-7204-40b8-85d0-4831fa4e0e5a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41D484D5-4087-4B9C-94E0-15C5A6D65DFA}]
C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{589859dc-e2b2-4571-b8f4-f1c356365dd8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59683AD6-2182-4EBD-AEA1-5380A9107014}]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{607E079C-A39C-4902-8CDA-34052971D500}]
C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8160700E-7A2D-492A-A63C-E3EC203B4E89}]
C:\WINDOWS\system32\jkhhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{874EC264-BCF2-4DCE-BA27-0782AE40C392}]
C:\WINDOWS\system32\mllmm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98626eba-b120-41df-b1a6-babecf036f0a}]
C:\WINDOWS\system32\ojbcduag.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 00:05 339968]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 18:21 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 10:46 172032]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-12 00:07 98304]
"MSDrive"="C:\WINDOWS\system32\drvmuj.dll" [ ]
"MSDisp32"="C:\WINDOWS\system32\drvcaw.dll" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"75a17511"="C:\WINDOWS\system32\mafwkcaf.dll" [ ]
"RegistryMechanic"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {761344cc-157b-4981-988f-eaaf16a29325} - C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll [2008-02-15 14:22 38438]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet 3100 Status.lnk]
backup=C:\WINDOWS\pss\HP LaserJet 3100 Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lori Schmeck^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 16:24 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 19:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 19:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-10-13 19:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 16:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-12 00:07 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPodService"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10542:TCP"= 10542:TCP:*:Disabled:BitComet 10542 TCP
"10542:UDP"= 10542:UDP:*:Disabled:BitComet 10542 UDP

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 10:39]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2005-08-12 21:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 23:46:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?1?4?4??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
.
**************************************************************************
.
Completion time: 2008-03-12 23:48:39 - machine was rebooted [Lori Schmeck]
ComboFix-quarantined-files.txt 2008-03-13 03:48:34
.
2008-02-16 22:15:51 --- E O F ---


::::::::::::::HijackThis::::::::::::::::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:43 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41D484D5-4087-4B9C-94E0-15C5A6D65DFA} - C:\WINDOWS\system32\vturo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59683AD6-2182-4EBD-AEA1-5380A9107014} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {607E079C-A39C-4902-8CDA-34052971D500} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8160700E-7A2D-492A-A63C-E3EC203B4E89} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: (no name) - {874EC264-BCF2-4DCE-BA27-0782AE40C392} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: {a0f630fc-ebab-6a1b-fd14-021babe62689} - {98626eba-b120-41df-b1a6-babecf036f0a} - C:\WINDOWS\system32\ojbcduag.dll (file missing)
O3 - Toolbar: (no name) - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvmuj.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvcaw.dll,startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [75a17511] rundll32.exe "C:\WINDOWS\system32\mafwkcaf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172339201656
O21 - SSODL: zip - {761344cc-157b-4981-988f-eaaf16a29325} - C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

--
End of file - 7426 bytes

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 13 March 2008 - 01:45 PM

Hi andkar

Nice to see you back.

Please give me some time to look over the reports and I will get back to you as soon as possible.

Starbuck

BBPP6nz.png


#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 14 March 2008 - 01:32 PM

Hi andkar

I followed the instructions given above for disabling SpyBot, but it still came up after I ran ComoFix

Please follow the instructions for disabling 'Teatimer' again.... Then reboot your computer.

Furthermore, the instructions for how to install a windows backup file with ComboFix did not work as described in the instruction file - instead, it opened the combofix DOS window and appeared to run the program

It's ok, ComboFix will have taken care of the registry backup and will have saved it. ComboFix also created a new 'restore point', this is showing in the report.

There is one thing i have to point out though...

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


If you missed the instructions for installing the 'Recovery Console' in the ComboFix instructions... can you please read them again and install the 'Recovery Console' as mentioned.
This is a safe guard we hope we never need.... but it's best to be safe than sorry.

Step 1
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: (no name) - {41D484D5-4087-4B9C-94E0-15C5A6D65DFA} - C:\WINDOWS\system32\vturo.dll (file missing)
O2 - BHO: (no name) - {59683AD6-2182-4EBD-AEA1-5380A9107014} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {607E079C-A39C-4902-8CDA-34052971D500} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {8160700E-7A2D-492A-A63C-E3EC203B4E89} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: (no name) - {874EC264-BCF2-4DCE-BA27-0782AE40C392} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: {a0f630fc-ebab-6a1b-fd14-021babe62689} - {98626eba-b120-41df-b1a6-babecf036f0a} - C:\WINDOWS\system32\ojbcduag.dll (file missing)
O3 - Toolbar: (no name) - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - (no file)
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvmuj.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvcaw.dll,startup
O4 - HKLM\..\Run: [75a17511] rundll32.exe "C:\WINDOWS\system32\mafwkcaf.dll",b
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O21 - SSODL: zip - {761344cc-157b-4981-988f-eaaf16a29325} - C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\system32\jcsfxvue.ini
C:\WINDOWS\system32\xdhglxtw.ini
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\drvmuj.dll
C:\WINDOWS\system32\drvcaw.dll
C:\WINDOWS\system32\mafwkcaf.dll
C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll

Folder::
C:\VundoFix Backups

DirLook::
C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

When finished, it will produce a log for you. Post that log in your next reply.

Step 3
Please reboot your computer and produce a new Hjt log.

In your next reply, please submit:
New ComboFix.txt
and a new Hjt log.

Thanks.

BBPP6nz.png


#9 andkar

andkar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 March 2008 - 08:46 PM

I followed your instructions and loaded the Windows Recovery Console and produced the logs you asked for;

:::::::::::::::::::::::::ComboFix:::::::::::::::::::::::::::::::::::
ComboFix 08-03-10.1 - Lori Schmeck 2008-03-15 20:32:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.215 [GMT -4:00]
Running from: C:\Documents and Settings\Lori Schmeck\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori Schmeck\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll
C:\WINDOWS\system32\drvcaw.dll
C:\WINDOWS\system32\drvmuj.dll
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\jcsfxvue.ini
C:\WINDOWS\system32\mafwkcaf.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\xdhglxtw.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\bvwgpjam.ini.bad
C:\VundoFix Backups\drvmujr.dll.bad
C:\VundoFix Backups\eaurcicv.dll.bad
C:\VundoFix Backups\fackwfam.ini.bad
C:\VundoFix Backups\hhhkj.ini.bad
C:\VundoFix Backups\hhhkj.ini2.bad
C:\VundoFix Backups\hxshbpnc.dll.bad
C:\VundoFix Backups\jkhhh.dll.bad
C:\VundoFix Backups\lopgvdgv.dll.bad
C:\VundoFix Backups\lyblgsnj.dll.bad
C:\VundoFix Backups\mafwkcaf.dll.bad
C:\VundoFix Backups\majpgwvb.dll.bad
C:\VundoFix Backups\mllji.dll.bad
C:\VundoFix Backups\mllmm.dll.bad
C:\VundoFix Backups\mmllm.ini.bad
C:\VundoFix Backups\mmllm.ini2.bad
C:\VundoFix Backups\ojbcduag.dll.bad
C:\VundoFix Backups\rpdgddru.dll.bad
C:\VundoFix Backups\ssqnoop.dll.bad
C:\VundoFix Backups\ssqppqp.dll.bad
C:\VundoFix Backups\vcicruae.ini.bad
C:\VundoFix Backups\vhkoyqif.dll.bad
C:\VundoFix Backups\vturo.dll.bad
C:\VundoFix Backups\winwea32.dll.bad
C:\VundoFix Backups\wrbbdmtb.dll.bad
C:\VundoFix Backups\wtxlghdx.dll.bad
C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll
C:\WINDOWS\system32\jcsfxvue.ini
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\xdhglxtw.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-02-16 21:56 . 2008-02-16 21:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 21:56 . 2008-02-16 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 16:50 . 2008-02-16 16:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-16 16:50 . 2007-12-04 09:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-16 16:50 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-16 16:50 . 2007-12-04 08:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-16 16:50 . 2007-12-04 10:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-16 16:50 . 2007-12-04 10:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-16 16:50 . 2007-12-04 10:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-16 16:50 . 2007-12-04 10:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-16 16:50 . 2007-12-04 10:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 00:06 --------- d-----w C:\Program Files\Trend Micro
2008-02-20 00:29 --------- d-----w C:\Program Files\Java
2008-02-17 01:33 --------- d-----w C:\Program Files\BitComet
2008-02-15 19:12 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Lavasoft
2008-02-15 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 17:16 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Intuit
2008-02-14 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 16:41 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-14 16:40 --------- d-----w C:\Program Files\Quicken
2008-02-14 16:19 --------- d-----w C:\Program Files\TurboTax
2008-02-13 17:53 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-10 17:29 --------- d-----w C:\Program Files\PDF-XChangeSDKEU
2008-02-10 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-10 17:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-10 17:18 --------- d-----w C:\Program Files\IrfanView
2008-01-22 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Progeny
2008-01-19 21:29 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Individual Software
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-02 00:08 416 -c--a-w C:\Documents and Settings\Lori Schmeck\Application Data\wklnhst.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-04-02 22:09 9,216 -csha-w C:\Program Files\Thumbs.db
2006-07-31 23:59 162,399 ----a-w C:\Program Files\photo1.jpg
2006-07-31 23:58 1,192,318 ----a-w C:\Program Files\photos.jpg
2006-07-27 22:29 905,728 ----a-w C:\Program Files\iview398.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325} ----

2008-02-15 14:22 38438 -r-hs---- C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll


((((((((((((((((((((((((((((( snapshot@2008-03-12_23.48.24.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-13 03:39:08 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-16 00:25:24 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 03:39:08 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-16 00:25:25 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-16 00:20:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 00:05 339968]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 18:21 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 10:46 172032]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-12 00:07 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"RegistryMechanic"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {761344cc-157b-4981-988f-eaaf16a29325} - C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet 3100 Status.lnk]
backup=C:\WINDOWS\pss\HP LaserJet 3100 Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lori Schmeck^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 16:24 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 19:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 19:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-10-13 19:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 16:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-12 00:07 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPodService"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10542:TCP"= 10542:TCP:*:Disabled:BitComet 10542 TCP
"10542:UDP"= 10542:UDP:*:Disabled:BitComet 10542 UDP

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 10:39]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2005-08-12 21:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 21:33:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?1?4?4??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-15 21:34:45
ComboFix-quarantined-files.txt 2008-03-16 01:34:29
ComboFix2.txt 2008-03-13 03:48:39
.
2008-02-16 22:15:51 --- E O F ---

:::::::::::::::::::::::::::::Hijack This::::::::::::::::::::::::::::::::::::::::;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:08 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172339201656
O21 - SSODL: zip - {761344cc-157b-4981-988f-eaaf16a29325} - C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

--
End of file - 5985 bytes


Let me know if you need anything else - Thanks!!

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 16 March 2008 - 11:03 AM

Hi andkar

I followed your instructions and loaded the Windows Recovery Console

Well done, thanks. :thumbsup:

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Folder::
C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"=-
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 2
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step 3
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
In your next reply, please submit:
New ComboFix.txt
Kaspersky scan report
New Hjt log
and can you let me know how things are running now.

Thanks.

BBPP6nz.png


#11 andkar

andkar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 16 March 2008 - 05:02 PM

Hi Starbuck,

I've followed all your instructions from the previous post - please find the logs from the scans below. The computer seems to be running fine - I'm a little concerned about the "viruses" and "infected files" that Kaspersky found, but other than that it seems okay. Do I need to operate any particular software in the future to keep this from happening again? Thanks for your help.

::::::::::COMBO FIX::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ComboFix 08-03-10.1 - Lori Schmeck 2008-03-16 14:01:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -4:00]
Running from: C:\Documents and Settings\Lori Schmeck\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori Schmeck\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-02-16 21:56 . 2008-02-16 21:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-16 21:56 . 2008-02-16 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 16:50 . 2008-02-16 16:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-16 16:50 . 2007-12-04 09:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-16 16:50 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-16 16:50 . 2007-12-04 08:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-16 16:50 . 2007-12-04 10:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-16 16:50 . 2007-12-04 10:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-16 16:50 . 2007-12-04 10:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-16 16:50 . 2007-12-04 10:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-16 16:50 . 2007-12-04 10:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 00:06 --------- d-----w C:\Program Files\Trend Micro
2008-02-20 00:29 --------- d-----w C:\Program Files\Java
2008-02-17 01:33 --------- d-----w C:\Program Files\BitComet
2008-02-15 19:12 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Lavasoft
2008-02-15 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 17:16 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Intuit
2008-02-14 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 16:41 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-14 16:40 --------- d-----w C:\Program Files\Quicken
2008-02-14 16:19 --------- d-----w C:\Program Files\TurboTax
2008-02-13 17:53 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-10 17:29 --------- d-----w C:\Program Files\PDF-XChangeSDKEU
2008-02-10 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-10 17:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-10 17:18 --------- d-----w C:\Program Files\IrfanView
2008-01-22 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Progeny
2008-01-19 21:29 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Individual Software
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-02 00:08 416 -c--a-w C:\Documents and Settings\Lori Schmeck\Application Data\wklnhst.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-04-02 22:09 9,216 -csha-w C:\Program Files\Thumbs.db
2006-07-31 23:59 162,399 ----a-w C:\Program Files\photo1.jpg
2006-07-31 23:58 1,192,318 ----a-w C:\Program Files\photos.jpg
2006-07-27 22:29 905,728 ----a-w C:\Program Files\iview398.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_23.48.24.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-13 03:39:08 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-16 17:46:30 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 03:39:08 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-16 17:46:30 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-16 17:42:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 00:05 339968]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 18:21 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 10:46 172032]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-12 00:07 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"RegistryMechanic"="" []

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet 3100 Status.lnk]
backup=C:\WINDOWS\pss\HP LaserJet 3100 Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lori Schmeck^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 16:24 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 19:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 19:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-10-13 19:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 16:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-12 00:07 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPodService"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10542:TCP"= 10542:TCP:*:Disabled:BitComet 10542 TCP
"10542:UDP"= 10542:UDP:*:Disabled:BitComet 10542 UDP

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 10:39]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2005-08-12 21:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 14:04:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?1?4?4??@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-16 14:05:18
ComboFix-quarantined-files.txt 2008-03-16 18:05:03
ComboFix2.txt 2008-03-16 01:34:45
ComboFix3.txt 2008-03-13 03:48:39
.
2008-02-16 22:15:51 --- E O F ---



::::::::::::: KASPERSKY :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 16, 2008 5:38:05 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 634014
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 63238
Number of viruses found: 7
Number of infected objects: 53
Number of suspicious objects: 0
Duration of the scan process: 01:19:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip/ddaya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip/euvxfscj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bce skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Local Settings\History\History.IE5\MSHist012008031620080317\index.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\ntuser.dat Object is locked skipped
C:\Documents and Settings\Lori Schmeck\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Hp\hpcoretech\hpcmerr.log Object is locked skipped
C:\QooBox\Quarantine\C\VundoFix Backups\eaurcicv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\hxshbpnc.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\jkhhh.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\lopgvdgv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\lyblgsnj.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mafwkcaf.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\majpgwvb.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mllji.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mllmm.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ojbcduag.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rpdgddru.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqnoop.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqppqp.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\vhkoyqif.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\vturo.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\winwea32.dll.bad.vir Infected: Trojan.Win32.Dialer.yz skipped
C:\QooBox\Quarantine\C\VundoFix Backups\wrbbdmtb.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\wtxlghdx.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\Installer\{761344cc-157b-4981-988f-eaaf16a29325}\zip.dll.vir Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntload.sys.vir Infected: Backdoor.Win32.Delf.azr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqppqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Infected: Trojan-Downloader.Win32.Zlob.hts skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wscmp.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0058726.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0058727.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0058728.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0058729.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0058730.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP434\A0058761.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP435\A0058769.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059253.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059284.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059286.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059310.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059346.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059347.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0059348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0060397.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP438\A0060454.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP439\A0060523.exe Infected: Trojan-Downloader.Win32.Zlob.hts skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP439\A0060525.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP439\A0060526.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP439\A0060528.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP441\A0060721.dll Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP442\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{164bced2-59d8-4aca-93b6-da124112a0dc}\zip.dll Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0B54C582-6265-455E-92ED-4ECF6D08C87F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_600.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


:::::::::::::::::: HIJACK THIS:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:25 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172339201656
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

--
End of file - 6100 bytes


Thanks again!

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 16 March 2008 - 05:33 PM

Hi andkar

There's only one of those items that we need to deal with.
All the rest are either in quarantine or in your system 'Restore Points'.
We'll clean these once we have dealt with the odd item.

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Folder::
C:\WINDOWS\Installer\{164bced2-59d8-4aca-93b6-da124112a0dc}
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

In your next reply, please submit:
New ComboFix.txt
and a new Hjt log

Thanks.

BBPP6nz.png


#13 andkar

andkar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 17 March 2008 - 07:40 PM

Hi Starbuck,

The computer is running well now - Thank you!!

Here are the most recent ComboFix and HijackThis logs (from after having run the CFScript).


:::::::::::COMBO FIX::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ComboFix 08-03-10.1 - Lori Schmeck 2008-03-17 20:27:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT -4:00]
Running from: C:\Documents and Settings\Lori Schmeck\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori Schmeck\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Installer\{164bced2-59d8-4aca-93b6-da124112a0dc}
C:\WINDOWS\Installer\{164bced2-59d8-4aca-93b6-da124112a0dc}\zip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-16 17:48 . 2008-03-16 17:48 <DIR> d-------- C:\Program Files\Sun
2008-03-16 17:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-16 17:44 . 2008-03-16 17:48 <DIR> d-------- C:\Program Files\Java
2008-03-16 14:09 . 2008-03-16 14:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-16 14:09 . 2008-03-16 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 00:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-24 00:06 --------- d-----w C:\Program Files\Trend Micro
2008-02-17 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 01:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-17 01:33 --------- d-----w C:\Program Files\BitComet
2008-02-16 20:50 --------- d-----w C:\Program Files\Alwil Software
2008-02-15 19:12 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Lavasoft
2008-02-15 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 17:16 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Intuit
2008-02-14 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 16:41 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-14 16:40 --------- d-----w C:\Program Files\Quicken
2008-02-14 16:19 --------- d-----w C:\Program Files\TurboTax
2008-02-10 17:29 --------- d-----w C:\Program Files\PDF-XChangeSDKEU
2008-02-10 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-10 17:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-10 17:18 --------- d-----w C:\Program Files\IrfanView
2008-01-22 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Progeny
2008-01-19 21:29 --------- d-----w C:\Documents and Settings\Lori Schmeck\Application Data\Individual Software
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-02 00:08 416 -c--a-w C:\Documents and Settings\Lori Schmeck\Application Data\wklnhst.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-04-02 22:09 9,216 -csha-w C:\Program Files\Thumbs.db
2006-07-31 23:59 162,399 ----a-w C:\Program Files\photo1.jpg
2006-07-31 23:58 1,192,318 ----a-w C:\Program Files\photos.jpg
2006-07-27 22:29 905,728 ----a-w C:\Program Files\iview398.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_23.48.24.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-12 05:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-03-13 03:39:08 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-18 00:26:08 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 03:39:08 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-18 00:26:08 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-18 00:21:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 00:05 339968]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 18:21 794624]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 10:46 172032]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-12 00:07 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet 3100 Status.lnk]
backup=C:\WINDOWS\pss\HP LaserJet 3100 Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lori Schmeck^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 16:24 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 23:11 49152 C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 19:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 19:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-10-13 19:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 16:54 253952 c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-12 00:07 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPodService"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10542:TCP"= 10542:TCP:*:Disabled:BitComet 10542 TCP
"10542:UDP"= 10542:UDP:*:Disabled:BitComet 10542 UDP

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 10:39]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2005-08-12 21:47]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 20:30:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?1?4?4??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-17 20:31:04
ComboFix-quarantined-files.txt 2008-03-18 00:30:49
ComboFix2.txt 2008-03-16 18:05:18
ComboFix3.txt 2008-03-16 01:34:45
ComboFix4.txt 2008-03-13 03:48:39
.
2008-03-16 22:12:36 --- E O F ---


::::::::::::::HIJACK THIS:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:49 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172339201656
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

--
End of file - 6190 bytes


Let me know what I need to do to clean up any loose ends - it's been a while now that this machine has run as well as it is!

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:33 PM

Posted 18 March 2008 - 01:39 PM

Hi andkar

it's been a while now that this machine has run as well as it is!

That's great to hear.
The logs all look good.Well done. :thumbsup:

We'll just do a little cleaning up to finish off with.

Step 1
Start up Spybot Search & Destroy
Click on the Recovery button
Make sure that everything is selected and then click the Purge Selected Items button.
Then close Spybot.
This will clear any items in the quarantine folder.

Step 2
Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /u (don't forget there's is a gap between x and /) Then press Ok
Posted Image

When shown the disclaimer, Select "2"

This action will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Reset System Restore.

Step 3
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
To find out how you may have been infected....read this topic:
So how did i get infected?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

BBPP6nz.png


#15 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 22 March 2008 - 05:06 AM

Since this issue appears to be resolved, this topic is now closed.

If you need it reopened, please PM a staff member.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users