Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus


  • This topic is locked This topic is locked
15 replies to this topic

#1 creativegd

creativegd

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 24 July 2008 - 09:49 AM

Found a Trojan Horse virus on my laptop and has taken over the computer so it just shuts down midway trying to remove it and has taken over the browsers. I mananged to do a Hijack This log and am sending this now to see if I can get some help removing it. I have Windows XP on the laptop. I use AVG to detect the virus but cannot remove it. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:56 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Common Files\AOL\1169913675\ee\AOLSoftware.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Documents and Settings\Srila Gurudeva\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Targus BT Mouse\MulMouse.exe
C:\Program Files\Qlock\qlock.exe
C:\Program Files\Targus BT Mouse\osd.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Letterhead Fonts\LHFService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1169913675\ee\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {04F27F39-1C1B-4A4F-8B5A-A531E364B7A6} - (no file)
O2 - BHO: (no name) - {17BB8948-6B3B-4C80-91A8-F6FB3E15E3C2} - (no file)
O2 - BHO: {fa42de1d-77aa-2199-f624-2b2af7f20db4} - {4bd02f7f-a2b2-426f-9912-aa77d1ed24af} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B4977567-6B39-4AFA-9CD2-47A20209F5FE} - (no file)
O2 - BHO: (no name) - {B942A054-CC8C-45E6-93CB-A3DE74463622} - (no file)
O2 - BHO: (no name) - {C9B6FE04-B0F0-4D24-842C-243F3AA6F2E0} - (no file)
O2 - BHO: targetedbanner browser optimizer - {d127d400-0b3b-e306-85de-7074d56cc4c3} - C:\WINDOWS\system32\dopmjsikukfwkvnx.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series (Copy 1) on SRILA-GURUDEVA] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P62 "Auto EPSON Stylus Photo R200 Series (Copy 1) on SRILA-GURUDEVA" /O25 "\\SRILA-GURUDEVA\EPSONSty" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169913675\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Srila Gurudeva\winlogon.exe
O4 - HKLM\..\Run: [4858b983] rundll32.exe "C:\WINDOWS\system32\tksbvvqt.dll",b
O4 - HKLM\..\Run: [{d9dc163d-3cb1-c2cd-dbdf-a3477820aa17}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\dopmjsikukfwkvnx.dll" DllStart
O4 - HKLM\..\Run: [BM4b6b8a1f] Rundll32.exe "C:\WINDOWS\system32\kqkkqepw.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Targus BT Mouse.lnk = C:\Program Files\Targus BT Mouse\MulMouse.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} (MetaStreamCtl Class) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://ids.southeasterntech.edu/Citrix/Met...ca32/wficat.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168308030671
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - Winlogon Notify: efcYPiJd - efcYPiJd.dll (file missing)
O20 - Winlogon Notify: khfETnkJ - khfETnkJ.dll (file missing)
O20 - Winlogon Notify: ljJYSiFX - ljJYSiFX.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Letterhead Fonts Service - Unknown owner - C:\Program Files\Letterhead Fonts\LHFService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14530 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 25 July 2008 - 06:04 PM

Hi

I see several different malware in your log, Which one is AVG referring to ? filename & location please ...

I would like you to run 4 programs for me & post the logs .... It may seem a lot to ask, but it is neccessary if you want a clean computer :thumbsup: ... just work through them in the order posted, & you'll have the logs in no time ...

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Then do the same with extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post both txt files ...


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

THEN ..

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

So the logs I need are :-

1. DSS ... 2 logs > main txt & extra.txt
2. Kaspersky Online Scan log
3. Malwarebytes' Anti-Malware report
4. combofix.txt

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 30 July 2008 - 01:14 AM

Thank you for the instructions. I am in the process of following them and will post the results. I have a problem with the scans that are online as the virus has over taken my browser on the laptop so I cannot access the internet directly. I have been using the internet on my desktop computer and downloading the software that way but the direct internet scans I am unable to do. Any suggestions greatly appreciated. Will send you what I have as soon as I can.

Thank you
Heidi

#4 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 30 July 2008 - 12:34 PM

Hi,

The laptop is unstable. I can only manage to keep it on for 12-15 mins before it just shuts down. I will try to do these scans in safe mode. I have one log 3. Malwarebytes' Anti-Malware report. The 1. DSS ... 2 logs > main txt & extra.txt will not work. I cannot get it to complete the scan. It just comes up with an error after 3-4 mins of running.

Thank you

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 30 July 2008 - 03:46 PM

Hi Heidi

OK forget the scans which wont run, we'll try them again later ...

The laptop is unstable. I can only manage to keep it on for 12-15 mins before it just shuts down.


When it shuts down, do you get any error messages, blue screen ? etc,

Have you tried to run Combofix yet ? ... if not, then please read the link & try to install the recovery console ... I think you realise how much malware you have, & if in trying to remove any of it, you find you can't boot into windows, then the recovery console will be a great help in getting you back up & running (hopefully it wont come to that though)

Post the log you have from Malwarebytes' Anti-Malware ...

Let's take some of the malware out manually, that way your computer may settle down enough to enable you to run the other programs/scans ...

Some of these may have already been removed by Malwarebytes' Anti-Malware ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {04F27F39-1C1B-4A4F-8B5A-A531E364B7A6} - (no file)
O2 - BHO: (no name) - {17BB8948-6B3B-4C80-91A8-F6FB3E15E3C2} - (no file)
O2 - BHO: {fa42de1d-77aa-2199-f624-2b2af7f20db4} - {4bd02f7f-a2b2-426f-9912-aa77d1ed24af} - (no file)

O2 - BHO: (no name) - {B4977567-6B39-4AFA-9CD2-47A20209F5FE} - (no file)
O2 - BHO: (no name) - {B942A054-CC8C-45E6-93CB-A3DE74463622} - (no file)
O2 - BHO: (no name) - {C9B6FE04-B0F0-4D24-842C-243F3AA6F2E0} - (no file)
O2 - BHO: targetedbanner browser optimizer - {d127d400-0b3b-e306-85de-7074d56cc4c3} - C:\WINDOWS\system32\dopmjsikukfwkvnx.dll

O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Srila Gurudeva\winlogon.exe
O4 - HKLM\..\Run: [4858b983] rundll32.exe "C:\WINDOWS\system32\tksbvvqt.dll",b
O4 - HKLM\..\Run: [{d9dc163d-3cb1-c2cd-dbdf-a3477820aa17}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\dopmjsikukfwkvnx.dll" DllStart
O4 - HKLM\..\Run: [BM4b6b8a1f] Rundll32.exe "C:\WINDOWS\system32\kqkkqepw.dll",s

O20 - Winlogon Notify: efcYPiJd - efcYPiJd.dll (file missing)
O20 - Winlogon Notify: khfETnkJ - khfETnkJ.dll (file missing)
O20 - Winlogon Notify: ljJYSiFX - ljJYSiFX.dll (file missing)


THEN... reboot into safemode, find and delete :-

C:\WINDOWS\system32\dopmjsikukfwkvnx.dll ... file
C:\WINDOWS\system32\tksbvvqt.dll ... file
C:\WINDOWS\system32\kqkkqepw.dll ... file

Let me know if you found any of these & if you deleted them ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 31 July 2008 - 04:18 PM

Hi,

Thank you for the manual removal instructions. I am working on them now. I did manage to rund some of the scans in safe mode and then did the combofix in regular mode. Here are the results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 31, 2008 03:51:12
Records in database: 1032086
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Srila Gurudeva\Start Menu\Programs\StartUp
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 82077
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:18:05


File name / Threat name / Threats count
C:\WINDOWS\system32\dlpfeljh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abun 1
C:\WINDOWS\system32\ocsatwln.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.adnq 1
C:\WINDOWS\task32.exe Infected: Trojan-Downloader.Win32.Agent.wzv 1

The selected area was scanned.
______________________________________________________________________________________

Malwarebytes' Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

1:39:22 PM 7/31/2008
mbam-log-7-31-2008 (13-39-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187060
Time elapsed: 1 hour(s), 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP646\A0199173.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207326.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207327.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207331.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207334.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207335.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207337.exe (Trojan.DNSChanger) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP648\A0207338.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP650\A0208318.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP653\A0211322.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0212322.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0212325.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0213309.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0213318.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0213323.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0213327.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0213333.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP654\A0213342.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0214352.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215357.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215359.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215361.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215362.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215363.dll (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215365.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215366.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215367.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215368.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215369.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215370.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215371.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215373.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215374.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215375.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215376.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215377.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215378.exe (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215379.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215380.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{3138630E-E7BA-409A-B0E6-284909F00AD0}\RP655\A0215382.exe (Trojan.Downloader) -> No action taken.
________________________________________________________________________________________________________________________

ComboFix 08-07-31.01 - Srila Gurudeva 2008-07-31 16:47:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1558 [GMT -4:00]
Running from: C:\Documents and Settings\Srila Gurudeva\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Srila Gurudeva\Application Data\macromedia\Flash Player\#SharedObjects\5X4UTACC\interclick.com
C:\Documents and Settings\Srila Gurudeva\Application Data\macromedia\Flash Player\#SharedObjects\5X4UTACC\interclick.com\ud.sol
C:\Documents and Settings\Srila Gurudeva\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Srila Gurudeva\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Srila Gurudeva\g2mdlhlpx.exe
C:\Documents and Settings\Srila Gurudeva\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Srila Gurudeva\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\system32\eMlkTvut.ini
C:\WINDOWS\system32\eMlkTvut.ini2
C:\WINDOWS\system32\foeppybx.ini
C:\WINDOWS\system32\fyoiakmh.ini
C:\WINDOWS\system32\hqncnlvo.dll
C:\WINDOWS\system32\jqqbefxg.ini
C:\WINDOWS\system32\magpdc.dll
C:\WINDOWS\system32\miunmvji.ini
C:\WINDOWS\system32\nblcajnb.dll
C:\WINDOWS\system32\nqrdsaax.ini
C:\WINDOWS\system32\orYHRXbc.ini
C:\WINDOWS\system32\orYHRXbc.ini2
C:\WINDOWS\system32\rebgnlvp.ini
C:\WINDOWS\system32\tqvvbskt.ini
C:\WINDOWS\system32\yaJkkUtv.ini
C:\WINDOWS\system32\yaJkkUtv.ini2
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\msvbvm60.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 02:44 . 2008-07-30 02:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 02:44 . 2008-07-30 02:44 <DIR> d-------- C:\Documents and Settings\Srila Gurudeva\Application Data\Malwarebytes
2008-07-30 02:44 . 2008-07-30 02:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 02:44 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 02:44 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 02:40 . 2008-07-30 02:40 <DIR> d----c--- C:\Deckard
2008-07-26 11:26 . 2008-07-26 11:26 <DIR> d-------- C:\Program Files\Uniblue
2008-07-24 09:51 . 2008-07-24 09:51 <DIR> d-------- C:\Temp\epr1
2008-07-19 12:09 . 2008-07-19 12:10 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-19 10:55 . 2008-07-24 11:56 <DIR> d-------- C:\WINDOWS\system32\carH18
2008-07-19 10:55 . 2008-07-19 10:55 <DIR> d-------- C:\Temp\btxv15
2008-07-18 09:54 . 2008-07-18 09:54 73 --a------ C:\WINDOWS\4760.bat
2008-07-17 12:57 . 2008-07-20 17:01 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-17 12:57 . 2008-07-17 12:57 <DIR> d-------- C:\Temp\zpv201
2008-07-14 13:33 . 2008-07-20 17:01 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-14 13:33 . 2008-07-14 13:33 <DIR> d-------- C:\Temp\stmpv4
2008-06-21 09:39 . 2008-06-21 09:39 158,652 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-10 22:22 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 22:22 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 20:41 --------- d---a-w C:\Documents and Settings\Srila Gurudeva\Application Data\AVG7
2008-07-31 20:40 --------- d-----w C:\Program Files\Plaxo
2008-07-30 06:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-26 15:27 --------- d-----w C:\Documents and Settings\Srila Gurudeva\Application Data\Uniblue
2008-07-26 15:20 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2008-07-14 17:21 --------- d-----w C:\Documents and Settings\Srila Gurudeva\Application Data\LimeWire
2008-06-28 02:31 133 ----a-w C:\Program Files\AutoUpdate.dat
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-10 03:28 --------- d-----w C:\Program Files\McAfee
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-29 20:43 191,624 ----a-w C:\Documents and Settings\Srila Gurudeva\Application Data\GDIPFONTCACHEV1.DAT
2007-07-08 15:53 12,410 ----a-w C:\Documents and Settings\Srila Gurudeva\Application Data\unins000.dat
2007-07-08 15:51 673,546 ----a-w C:\Documents and Settings\Srila Gurudeva\Application Data\unins000.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 13:30 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.6\PlaxoHelper.exe" [2008-04-14 17:36 227914]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-05-23 14:33 1287696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 08:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 08:00 455168]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 09:03 40960]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 11:49 454656]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 17:01 761946]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48 479232]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-19 10:50 579584]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Auto EPSON Stylus Photo R200 Series (Copy 1) on SRILA-GURUDEVA"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 03:00 99840]
"HostManager"="C:\Program Files\Common Files\AOL\1169913675\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-15 18:26 7561216]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 20:36 446464]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-06-15 18:43 22528]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 15:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"nwiz"="nwiz.exe" [2006-04-15 18:26 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 14:14 219136]

C:\Documents and Settings\Srila Gurudeva\Start Menu\Programs\Startup\
qlock.lnk - C:\Program Files\Qlock\qlock.exe [2006-07-31 05:28:12 4102656]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-04-07 02:42:52 217190]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50 113664]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 18:02:06 581693]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-21 14:30:23 124912]
Targus BT Mouse.lnk - C:\Program Files\Targus BT Mouse\MulMouse.exe [2007-02-19 15:50:44 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1169913675\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1169913675\\ee\\AOLOpenRide.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 BtFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\BtFltr.sys [2006-04-12 16:40]
S2 Letterhead Fonts Service;Letterhead Fonts Service;C:\Program Files\Letterhead Fonts\LHFService.exe [2007-02-25 17:53]
S3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beb1cd32-6837-11db-8bb0-90d21089110d}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc599f06-80d6-11db-8bc4-00038a000015}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-07-30 C:\WINDOWS\Tasks\B6DB8D0F94340843.job
- c:\docume~1\srilag~1\applic~1\rulepa~1\MIXFLAPCOOL.exe []

2008-06-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-06-27 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-18 23:42]

2008-07-31 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-07-16 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-07-26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-05-23 14:03]

2008-07-26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-05-23 14:03]

2008-07-31 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-05-23 14:33]

2008-07-28 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-05-23 14:33]

2008-07-16 C:\WINDOWS\Tasks\XoftSpy.job
- C:\Program Files\XoftSpy\XoftSpy.exe [2004-12-01 19:00]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Uniblue SpeedUpMyPC - (no file)
Notify-efcYPiJd - efcYPiJd.dll
Notify-khfETnkJ - khfETnkJ.dll
Notify-ljJYSiFX - ljJYSiFX.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Srila Gurudeva\Application Data\Mozilla\Firefox\Profiles\86vw6dxx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 16:52:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ??? X??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 16:55:26
ComboFix-quarantined-files.txt 2008-07-31 20:54:45

Pre-Run: 17,788,739,584 bytes free
Post-Run: 18,153,144,320 bytes free

219 --- E O F --- 2008-07-11 17:00:45

Attached Files



#7 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 31 July 2008 - 04:33 PM

I do not get any error when the computer shuts down. It just shuts off to a black screen. Since running these scans in safe mode the laptop has stabalized. I am now using it regularly but still seeing some infection is there.

Trying to run Decklands scan now but the executable will not run. I have downloaded it several times and it just will not work. The rest are ok.

Completeing the manual removal now.

Thank you
Heidi

#8 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 31 July 2008 - 04:53 PM

Hi,

I have manually gone through the list you sent and could not find them anymore. The scans most have removed them. I saved the Hijackthis log report and attached it here. The laptop is doing better.

Attached Files



#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 01 August 2008 - 06:22 PM

Hi Heidi

The Malwarebytes' Anti-Malware log you posted was from a second run I believe ?

Would you post the first one for me please ... Run the Malwarebytes Anti-Malware from the icon on your desktop, select the Logs tab & see if you can see the first log ?

I see you've run several other programs ... ewido anti-spyware, Panda activescan, etc, did they find anything they could not remove ?

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\dlpfeljh.dll
C:\WINDOWS\system32\ocsatwln.dll
C:\WINDOWS\task32.exe
C:\WINDOWS\Tasks\B6DB8D0F94340843.job
C:\WINDOWS\4760.bat

Folder::
C:\Temp
C:\WINDOWS\system32\carH18
C:\WINDOWS\system32\aumsDK18
C:\WINDOWS\system32\olixds18


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

-
RE: DSS wont run ...

1. you are downloading it to your desktop aren't you ?
2. You must be logged onto an account with administrator privileges. ?

Assuming the above two are correct, please try this :-

go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe"

Did it run ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 09 August 2008 - 09:42 AM

Please find here the first and second scan from Malware. I think what I posted was the 3rd or 4th scan log.

Will complete the rest of the tests today.

Thank you

Heidi

Attached Files



#11 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 09 August 2008 - 10:05 AM

tried the Decklands.exe again using the run feature and it looked like it would work but the entire icon just disappeared and nothing happened. I downloaded again to the desktop and made sure I was logged in with administrative privilages. It still did not work - it just disappears off the desktop.

Ewido and AVG found alot of things also and removed them. Did not run Panda. I looked into any logs from Ewido but was not saved. I think I remember AVG having some embedded files that needed manual deletion. AVG has saved logs but are in a format I cannot put into notepad. It deleted everything it found.

Will run the script with combofix now that you sent through.

Thankyou

#12 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 09 August 2008 - 10:25 AM

Finished the combofix run from the script you sent me. attched here.


The laptop is running much better and all the scans are coming up clean.

Thank you
Heidi

Attached Files


Edited by creativegd, 09 August 2008 - 10:27 AM.


#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 09 August 2008 - 04:16 PM

HI Heidi

Your logs are clean now :thumbsup:

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

-
THEN ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

-
Finaly .../ please post a new hijackthis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#14 creativegd

creativegd
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:09:03 AM

Posted 10 August 2008 - 08:59 PM

Hi,

I have downloaded the CCleaner and did a first run clean. It removed alot of files.

I tried running the combofix using the run function but it just uninstalls itself and disappears off the desktop like the deckland's scan. So I installed again and ran a normal scan. The log is attached if helpful.

One thing that is happening with the laptop still is that if I leave it for a while it just shuts off. I thought at first it was going sleep which it does sometimes but now it just clicks and shuts off even if programs are running. Is there some window function I can check?

Heidi

#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 11 August 2008 - 04:46 PM

Hi Heidi

I tried running the combofix using the run function but it just uninstalls itself and disappears off the desktop


:thumbsup: That's exactly what it's supposed to do this time ... it uninstalls itself with that command.

It deletes all the files/folders it created & generally cleans up after itself ...

You have no need for Combofix anymore, so if you have a Combofix icon on your desktop, do this again ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Then forget all about Combofix

-
CCleaner does remove a lot of files, they are all temporary files which you don't need, just an hours surfing will create hundreds of temporary files ...

One thing that is happening with the laptop still is that if I leave it for a while it just shuts off. I thought at first it was going sleep which it does sometimes but now it just clicks and shuts off even if programs are running. Is there some window function I can check?


Are you saying it totally shuts down .. as in power off completely ... or is it just the hard-drives turning off ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users