Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE hijacker


  • This topic is locked This topic is locked
12 replies to this topic

#1 DougC

DougC

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:12:29 AM

Posted 26 January 2009 - 03:28 PM

searching, or trying to get to a site, especially microsoft or virus related sites, will take me to search engines, yellow pages, antivirus software, Google ...
I've run Spybot, adaware and Mcafee

Attached Files


Edited by DougC, 26 January 2009 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 07 February 2009 - 09:50 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 DougC

DougC
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:12:29 AM

Posted 09 February 2009 - 11:49 AM

ComboFix 09-02-08.02 - Robin Moser 2009-02-09 8:15:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1502 [GMT -8:00]
Running from: c:\documents and settings\Robin Moser\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\resycled
c:\resycled\ntldr.com
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\drivers\gaopdxjkcfrqhy.sys
c:\windows\system32\gaopdxpxetepqg.dll
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-05 11:16 . 2009-02-05 11:16 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-01-27 12:27 . 2009-01-27 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2009-01-27 12:22 . 2009-01-27 12:22 61,224 --a------ c:\documents and settings\Robin Moser\GoToAssistDownloadHelper.exe
2009-01-26 11:22 . 2009-01-26 11:22 <DIR> d-------- c:\program files\Trend Micro
2009-01-23 16:59 . 2009-01-23 17:01 13,596,592 --a------ C:\sdsetup.exe
2009-01-23 15:23 . 2009-01-18 13:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-23 13:40 . 2009-01-26 12:45 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-23 11:10 . 2009-01-23 11:12 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-23 10:48 . 2009-01-18 13:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-23 10:47 . 2009-01-23 10:47 <DIR> d-------- c:\program files\Lavasoft
2009-01-23 10:47 . 2009-01-23 10:47 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-23 09:32 . 2009-01-23 09:32 4,735,243 --a------ C:\f-downadup_unsigned.jar
2009-01-23 09:30 . 2009-01-23 09:31 <DIR> d-------- C:\f-downadup
2009-01-23 09:30 . 2009-01-23 09:30 4,770,479 --a------ C:\f-downadup.zip
2009-01-23 09:07 . 2009-01-23 09:07 26,624 --a------ c:\windows\system32\drivers\fsbts.sys
2009-01-19 10:41 . 2009-01-19 10:41 4,915,600 --a------ C:\f-downadup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 17:33 --------- d-----w c:\program files\PCCW
2009-02-05 19:24 --------- d-----w c:\program files\TurboTax
2009-02-05 19:15 --------- d-----w c:\program files\Common Files\Intuit
2009-02-05 19:15 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-20 19:49 --------- d-----w c:\program files\CustomerCareV5
2009-01-14 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-07 03:45 --------- d-----w c:\documents and settings\Robin Moser\Application Data\Windows Search
2009-01-02 15:08 --------- d-----w c:\program files\McAfee
2009-01-01 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-01 01:27 --------- d-----w c:\program files\Common Files\McAfee
2009-01-01 01:26 --------- d-----w c:\program files\McAfee.com
2008-12-31 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-31 20:53 --------- d-----w c:\program files\Hewlett-Packard
2008-12-31 20:43 --------- d-----w c:\program files\Windows Desktop Search
2008-12-31 20:41 --------- d-----w c:\program files\AVG
2008-12-31 20:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-31 20:38 --------- d-----w c:\documents and settings\Robin Moser\Application Data\Windows Desktop Search
2008-12-26 19:21 --------- d-----w c:\documents and settings\Robin Moser\Application Data\McAfee
2008-12-26 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-17 17:35 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-07-09 15:02 56,912 ----a-w c:\documents and settings\Robin Moser\g2mdlhlpx.exe
2008-03-21 16:45 43,680,515 -c--a-w c:\documents and settings\All Users\Documents.zip
2007-03-20 15:49 630,784 -c--a-w c:\documents and settings\Robin Moser\GoToAssist_chat2way__317_en.exe
2008-09-30 02:37 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092920080930\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-07-21 14:47 81920 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2006-05-01 06:07 843776 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
--a------ 2005-04-08 08:18 151552 c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-17 09:35 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
--a------ 2004-05-20 08:37 188416 c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"ASFIPmon"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\SYSTRAN\\6\\Dicts\\SystranTranslationEngine.exe"=
"c:\\Program Files\\SYSTRAN\\6\\SystranToolbar.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\PCCW\\Pccw.Exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8100:TCP"= 8100:TCP:nova
"13770:TCP"= 13770:TCP:Customer Care Service Host
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-01-23 26624]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-23 64160]
R2 CustomerCareWCFHost;CustomerCare WCF Host;c:\program files\CustomerCareV5\CustomerCareWCFService.exe [2009-01-08 34816]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2007-03-29 26304]
S4 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
S4 ksi32sk;ksi32sk;\??\c:\windows\system32\drivers\ksi32sk.sys --> c:\windows\system32\drivers\ksi32sk.sys [?]
S4 netsik;netsik;\??\c:\windows\system32\drivers\netsik.sys --> c:\windows\system32\drivers\netsik.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:34]

2009-01-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Robin Moser - c:\documents and settings\Robin Moser\Robin Moser.exe
MSConfigStartUp-SBUSA - c:\program files\SpamBlockerUtility\bin\10.2.215.0\SBUSA.exe
MSConfigStartUp-SpamBlockerUtilityOE - c:\program files\SpamBlockerUtility\bin\10.2.215.0\OEAddOn.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070308
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: SYSTRAN Lookup - c:\program files\SYSTRAN\6\\GUIres.dll/lookup.js
IE: SYSTRAN Translate - c:\program files\SYSTRAN\6\\GUIres.dll/translate.js
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: novainfo.net\nettrans2
Trusted Zone: turbotax.com
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 08:26:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\WINDOWS\\system32\\mmmlvrlv.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-09 8:32:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-09 16:32:39

Pre-Run: 57,493,118,976 bytes free
Post-Run: 57,522,044,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect

235 --- E O F --- 2009-01-14 22:22:21

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 09 February 2009 - 01:09 PM

Hello.

Please answer and post the following logs and questions.

-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 DougC

DougC
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:12:29 AM

Posted 09 February 2009 - 01:55 PM

so far so good. Thanks for your help

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 09 February 2009 - 03:29 PM

Hello.

Okay, but post back with the GMER and Hijackthis log....

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 11 February 2009 - 05:15 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 DougC

DougC
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:12:29 AM

Posted 11 February 2009 - 06:30 PM

comcast was down, sorry
no problem so far

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 11 February 2009 - 08:19 PM

Hello.

That looks good.

O15 Entries Warning (Sites in your Trusted Zones)

I see you have some sites in your Trusted Zone. The security settings for the internet is not extremely high and once you put a site in your trusted zone basically almost anymore including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree? It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. We will remove it using Hijackthis.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • To the left of each entry you will see a box.Put a checkmark next to the following entries:


    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O15 - Trusted Zone: http://*.mcafee.com
    O15 - Trusted Zone: nettrans2.novainfo.net
    O15 - Trusted Zone: http://*.turbotax.com


    If you no longer see some of the entries, don't worry. It is possible that the uninstaller or removal tool already took care of it. If it is marked " (file missing) ", put a check mark next to its box anyways.

  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • Close HijackThis.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Post back with:
-New Hijackthis log
-Eset scan log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 DougC

DougC
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:12:29 AM

Posted 12 February 2009 - 01:09 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3848 (20090212)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=9ea95f54024c524d9301e769a45082b7
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-12 05:49:50
# local_time=2009-02-12 09:49:50 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=378522
# found=5
# scan_time=4256
C:\Documents and Settings\Robin Moser\Application Data\Sun\Java\Deployment\cache\6.0\27\6184729b-4fb1200c a variant of Java/TrojanDownloader.OpenStream.NAD trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Robin Moser\Application Data\Sun\Java\Deployment\cache\6.0\27\6184729b-4fb1200c »ZIP »Java2SE.class a variant of Java/TrojanDownloader.OpenStream.NAD trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Robin Moser\Application Data\Sun\Java\Deployment\cache\6.0\47\66286ef-69ab7f8b Java/TrojanDownloader.OpenStream.NAD trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Robin Moser\Application Data\Sun\Java\Deployment\cache\6.0\47\66286ef-69ab7f8b »ZIP »Java2SE.class Java/TrojanDownloader.OpenStream.NAD trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\resycled\ntldr.com.vir a variant of Win32/Kryptik.FB trojan (unable to clean - deleted) 00000000000000000000000000000000

#11 DougC

DougC
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:12:29 AM

Posted 12 February 2009 - 01:13 PM

here ya go

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 12 February 2009 - 05:46 PM

Hello.

That looks good. ESET just found some infected cache files which it deleted and a quarantined items from Combofix.

Download and Run OTMoveIT3

  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • It will ask if you wish to Restart your computer, please say Yes
  • After the reboot everything should be good to go. We will cleanup now.
Please follow/read the steps below to remove the tools we used and for some more information. :step5:

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Uninstall GMER
We will now remove GMER.
  • Go to Start ---> Run ----> In the Open Field type in: C:\WINDOWS\gmer_uninstall.cmd
  • Now Click Ok
  • This shall uninstall GMER and everything related to it.
Cleanup! with OTMoveIt
Let's remove all the tools we've used so far.
  • Double click the OTMoveIt3.exe to run it.
  • Click Posted Image. If you recieve a warning from your security program, select allow to download the packet.
  • A pop-up box will appear saying "Cleanup list download succesfully Begin Removal Process?". Click Yes.
  • If required for a reboot click Yes


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Increase System Performance

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.


Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 14 February 2009 - 02:43 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users