Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo


  • This topic is locked This topic is locked
16 replies to this topic

#1 Klickinater

Klickinater

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 21 February 2009 - 11:23 PM

Recently, while I was away, my brother did something (and refuses to fess up) which got a lot of viruses on my computer. As it is, I have mostly removed them except Vundo. I have been getting pop-ups for spyware sites (the most common is for StopZilla) usually when I open a new window (with Mozilla). And occasionally my computer will freeze without warning and I will have to restart it. When I use McAfee scan, it finds Vundo but it says it is unable to quarantine or fix it, it just says to scan again after restarting the computer, and when I do that it just says the same thing, scan after restart. My dad then buys MalwareRemovalBot, which not only finds Vundo, but a host of other 'stuff' that I then get rid of. But Vundo appears every time, even after it says it fixes it. In desperation I look on the Wikipedia article about it and see that VundoFix is made to get rid of it. Unfortunately VundoFix didn't find anything. I currently downloaded Spybot S&D and it's scanning my computer but I doubt it will be able to get rid of it if MalwareRemovalBot and McAfee couldn't. I tried hunting down the file myself but not being as computer savvy as I would like to be I was quickly lost and couldn't find anything. Usually when I scan my computer, it comes up with several other infections, though I am pretty sure they are either petty or related to Vundo.
EDIT: Halfway through the Spybot S&D scan and it found Virtumonde, I'll edit again once it finishes and say whether or not it worked.
EDIT2: No such luck. After clicking 'Fix', Spybot told me that it couldn't remove it so it told me to restart and scan again, which I did. Then it 'removed' it without problem. Though now on it's third scan its finding Vundo again. I was looking at other topics and apparently TinyBar.C and Virtumonde.prx are associated with it (and I have both). Also AdwareAlert keeps coming back though I am unsure whether or not that is related.
The DDS file is as follows:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jacob at 23:07:55.15 on Sat 02/21/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2042 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Page = hxxp://www.google.com
uWindows: Run="c:\documents and settings\jacob\application data\adobe\Manager.exe"
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: {446ff373-211b-4a40-b777-5157cce1e146} - c:\windows\system32\iiffCSiG.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUOeDwX.dll
{72611494-2ff2-494b-9950-7844458d9444}
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [Windows] "c:\windows\system32\windows.exe"
uRun: [MalwareRemovalBot] c:\program files\malwareremovalbot\MalwareRemovalBot.exe -boot
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209947004581
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209946993003
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: wvUOeDwX - wvUOeDwX.dll
AppInit_DLLs: zmfnhc.dll rrbvdf.dll zpoklo.dll zhhyrl.dll umwwma.dll nziusb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUOeDwX.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacob\applic~1\mozilla\firefox\profiles\fso9z5he.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 207656]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
S0 ewhocalf;ewhocalf;c:\windows\system32\drivers\jiygrsqs.sys []
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 34152]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-02-21 23:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-21 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-21 20:16 123,392 a------- c:\windows\system32\missicun.dll
2009-02-21 20:16 1,607,789 ---sh--- c:\windows\system32\wwoehcdb.ini
2009-02-21 20:16 72,704 a------- c:\windows\system32\bdcheoww.dll
2009-02-21 16:28 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-02-21 16:28 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-02-21 16:28 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-02-21 16:28 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-02-21 16:28 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-02-21 16:28 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-02-21 16:27 <DIR> --d----- c:\docume~1\jacob\applic~1\The Creative Assembly
2009-02-21 16:13 <DIR> --d----- C:\VundoFix Backups
2009-02-21 08:18 1,609,283 ---sh--- c:\windows\system32\drpmvkmy.ini
2009-02-21 08:16 123,392 a------- c:\windows\system32\nziusb.dll
2009-02-20 13:28 1,599,879 ---sh--- c:\windows\system32\twqnjhvl.ini
2009-02-19 23:04 1,609,282 ---sh--- c:\windows\system32\imkoifjv.ini
2009-02-19 11:02 1,584,784 ---sh--- c:\windows\system32\cobnkrri.ini
2009-02-18 23:03 1,583,109 ---sh--- c:\windows\system32\luhmqgqx.ini
2009-02-18 11:00 1,580,845 ---sh--- c:\windows\system32\usgqlgvn.ini
2009-02-17 22:49 1,585,212 ---sh--- c:\windows\system32\xevphjmc.ini
2009-02-17 10:20 1,584,915 ---sh--- c:\windows\system32\finqgfwm.ini
2009-02-16 16:45 1,571,654 ---sh--- c:\windows\system32\dtkbnont.ini
2009-02-16 15:06 <DIR> --d----- c:\program files\AVI Movie Player
2009-02-16 12:45 120 ---sh--- c:\windows\system32\lksamiwy.ini
2009-02-13 06:59 35,328 a------- c:\windows\system32\wvUOeDwX.dll
2009-02-13 04:48 0 a------- c:\windows\system32\mcrh.tmp
2009-02-04 15:18 <DIR> --d----- c:\windows\system32\AGEIA
2009-02-04 15:17 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-04 15:17 206,793 a------- c:\windows\system32\nvapps.nvb
2009-02-04 15:17 <DIR> --d----- c:\windows\NV25483572.TMP
2009-02-03 06:14 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-01 23:06 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-27 14:12 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-27 14:12 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-27 14:12 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-27 14:12 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-27 14:12 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-27 14:12 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-27 14:12 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-27 14:12 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2009-01-27 14:12 81,768 a------- c:\windows\system32\xinput1_3.dll

==================== Find3M ====================

2009-02-21 23:05 2,973 a--sh--- c:\windows\system32\GiSCffii.ini2
2009-01-17 21:34 3,568 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-15 20:17 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-15 18:57 1,640,518 a--sh--- c:\windows\system32\PYaHQXyb.ini2
2009-01-11 19:46 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-11 19:45 201,352 a------- c:\windows\system32\PnkBstrB.exe
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-05 18:50 675,840 a------- c:\windows\system32\windows.exe
2009-01-04 13:44 418,480 a------- c:\windows\system32\wrap_oal.dll
2009-01-04 13:44 115,432 a------- c:\windows\system32\OpenAL32.dll
2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-06 18:08 17,144 a------- c:\docume~1\jacob\applic~1\GDIPFONTCACHEV1.DAT
2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll
2008-11-26 08:55 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-11-25 08:38 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\niyihifi.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\siyokume.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\werolime.dll

============= FINISH: 23:09:52.95 ===============

Attached Files


Edited by Klickinater, 22 February 2009 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 28 February 2009 - 04:00 PM

Hello Klickinater,

Sorry for the delay. We have many logs backed up.

Since it has been a few days, please post a fresh DDS log and we will go from there.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 February 2009 - 10:06 PM

The new DDS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jacob at 22:02:51.01 on Sat 02/28/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.1742 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Page = hxxp://www.google.com
uWindows: Run="c:\documents and settings\jacob\application data\adobe\Manager.exe"
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: {23ce9627-2b25-43db-a4b9-6d6df11df66e} - No File
BHO: {2CADE14B-7260-4303-A127-1F7EB3789F27} - No File
BHO: {4009d812-52d4-4bb5-bb7d-cbc7344ac5c2} - c:\windows\system32\iiffCSiG.dll
BHO: {446FF373-211B-4A40-B777-5157CCE1E146} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUOeDwX.dll
{72611494-2ff2-494b-9950-7844458d9444}
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8CD6833D-FF33-4336-9BD0-6EAC9FE08B21} - No File
BHO: {B35C40D9-881D-4198-9DD5-72B1F41519B5} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {21dd4889-5438-4c48-9904-d8b52ceb76df}: {fd67bec2-5b8d-4099-84c4-83459884dd12} - c:\windows\system32\skqwel.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MalwareRemovalBot] c:\program files\malwareremovalbot\MalwareRemovalBot.exe -boot
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [c4cf1566] rundll32.exe "c:\windows\system32\mkgarjfg.dll",b
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209947004581
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209946993003
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: wvUOeDwX - wvUOeDwX.dll
AppInit_DLLs: zmfnhc.dll rrbvdf.dll zpoklo.dll zhhyrl.dll umwwma.dll nziusb.dll nbneuu.dll cyhibx.dll wwmerw.dll rrqqlx.dll zvzuby.dll jknmpq.dll veeywf.dll skqwel.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUOeDwX.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacob\applic~1\mozilla\firefox\profiles\fso9z5he.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 207656]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
S0 ewhocalf;ewhocalf;c:\windows\system32\drivers\jiygrsqs.sys []
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 34152]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-02-28 11:03 125,440 a------- c:\windows\system32\skqwel.dll
2009-02-28 11:03 125,440 a------- c:\windows\system32\umgvgflw.dll
2009-02-28 11:00 121 ---sh--- c:\windows\system32\egljfguf.ini
2009-02-28 11:00 88,064 a------- c:\windows\system32\fugfjlge.dll
2009-02-27 22:44 88,064 a------- c:\windows\system32\mkgarjfg.dll
2009-02-27 22:44 1,665,122 ---sh--- c:\windows\system32\gfjragkm.ini
2009-02-27 22:41 124,416 a------- c:\windows\system32\zqgnav.dll
2009-02-27 22:41 124,416 a------- c:\windows\system32\ispicjlg.dll
2009-02-27 10:44 1,665,122 ---sh--- c:\windows\system32\unnjbcnk.ini
2009-02-27 10:41 124,416 a------- c:\windows\system32\ulbbti.dll
2009-02-27 10:41 124,416 a------- c:\windows\system32\tlxqqyke.dll
2009-02-26 22:44 125,440 a------- c:\windows\system32\gluavj.dll
2009-02-26 22:44 125,440 a------- c:\windows\system32\uttrrahi.dll
2009-02-26 22:41 120 ---sh--- c:\windows\system32\qqclssbl.ini
2009-02-26 10:44 120 ---sh--- c:\windows\system32\booybvap.ini
2009-02-26 10:41 125,440 a------- c:\windows\system32\gofynd.dll
2009-02-26 10:41 125,440 a------- c:\windows\system32\tsxwlvwx.dll
2009-02-26 07:13 5,846 a--sh--- c:\windows\system32\GiSCffii.ini2
2009-02-25 23:38 120 ---sh--- c:\windows\system32\idcvxcro.ini
2009-02-25 22:42 124,416 a------- c:\windows\system32\veeywf.dll
2009-02-25 10:42 124,416 a------- c:\windows\system32\jknmpq.dll
2009-02-24 08:18 123,392 a------- c:\windows\system32\rrqqlx.dll
2009-02-23 20:18 122,880 a------- c:\windows\system32\wwmerw.dll
2009-02-23 08:21 124,928 a------- c:\windows\system32\cyhibx.dll
2009-02-22 20:21 124,928 a------- c:\windows\system32\nbneuu.dll
2009-02-22 09:01 5,846 a--sh--- c:\windows\system32\GiSCffii.ini
2009-02-21 23:32 332 a------- c:\windows\wininit.ini
2009-02-21 23:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-21 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-21 16:28 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-02-21 16:28 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-02-21 16:28 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-02-21 16:28 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-02-21 16:28 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-02-21 16:28 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-02-21 16:27 <DIR> --d----- c:\docume~1\jacob\applic~1\The Creative Assembly
2009-02-21 16:13 <DIR> --d----- C:\VundoFix Backups
2009-02-21 08:16 123,392 a------- c:\windows\system32\nziusb.dll
2009-02-16 15:06 <DIR> --d----- c:\program files\AVI Movie Player
2009-02-13 06:59 35,328 a------- c:\windows\system32\wvUOeDwX.dll
2009-02-13 04:48 0 a------- c:\windows\system32\mcrh.tmp
2009-02-04 15:18 <DIR> --d----- c:\windows\system32\AGEIA
2009-02-04 15:17 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-04 15:17 206,793 a------- c:\windows\system32\nvapps.nvb
2009-02-04 15:17 <DIR> --d----- c:\windows\NV25483572.TMP
2009-02-03 06:14 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-01 23:06 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE

==================== Find3M ====================

2009-01-17 21:34 3,568 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-15 20:17 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-11 19:46 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-11 19:45 201,352 a------- c:\windows\system32\PnkBstrB.exe
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-04 13:44 418,480 a------- c:\windows\system32\wrap_oal.dll
2009-01-04 13:44 115,432 a------- c:\windows\system32\OpenAL32.dll
2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-06 18:08 17,144 a------- c:\docume~1\jacob\applic~1\GDIPFONTCACHEV1.DAT
2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll

============= FINISH: 22:04:39.00 ===============

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 28 February 2009 - 10:26 PM

Hi Klickinater,

You are heavily infected so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.
Click Advanced Menu (bottom mid-left).
Click Configure (left).
Click Computer & Files (top left).
VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
Do the same via Internet & Network for Firewall Plus.


To disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 28 February 2009 - 10:29 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 March 2009 - 02:40 PM

I ran combofix and several notable things came up (though i think it went smoothly). It said at first that it would have to restart my computer (listing some files that were later deleted). After restarting, all the accounts on my computer had passwords, even the ones that hadn't originally had passwords. And when I tried to log into any of them using any password, the screen would go black and this error would come up:
"The system could not log you on. The server authenticating you reported an error (0xC00000BB). You can find further details in the event log. Please report this error to the system administrator". After restarting the computer again, I could log on and combofix ran. While combofix was running, MacAfee bubbles kept popping up saying that it detected and deleted various trojans and malware. And after combofix finished scanning and was preparing the report, it said that MacAfee was running, even after I shut it down. So I made sure it was shut down and it still said that it was running but it went through and completed anyway. The report is as follows:

ComboFix 09-02-28.01 - Jacob 2009-03-01 14:19:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2440 [GMT -5:00]
Running from: c:\documents and settings\Jacob\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jacob\Application Data\Adobe\crc.dat
c:\documents and settings\Jacob\EULA.txt
c:\windows\system32\booybvap.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekafoiydoho.sys
c:\windows\system32\egljfguf.ini
c:\windows\system32\gfjragkm.ini
c:\windows\system32\GiSCffii.ini
c:\windows\system32\GiSCffii.ini2
c:\windows\system32\idcvxcro.ini
c:\windows\system32\jmmksouy.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\qqclssbl.ini
c:\windows\system32\senekadf.dat
c:\windows\system32\senekadollmeki.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekasovhpymt.dat
c:\windows\system32\senekawunwjeqv.dll
c:\windows\system32\unnjbcnk.ini
c:\windows\system32\wvUOeDwX.dll
c:\windows\system32\yujgcuoi.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-03-01 14:26 . 2009-03-01 14:26 <DIR> d-------- c:\windows\LastGood
2009-02-21 23:32 . 2009-02-26 07:12 332 --a------ c:\windows\wininit.ini
2009-02-21 23:02 . 2009-02-21 23:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-21 23:02 . 2009-02-21 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 16:28 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-21 16:28 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-21 16:28 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-21 16:28 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-21 16:28 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-21 16:28 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-21 16:27 . 2009-02-21 16:27 <DIR> d-------- c:\documents and settings\Jacob\Application Data\The Creative Assembly
2009-02-21 16:13 . 2009-02-21 16:13 <DIR> d-------- C:\VundoFix Backups
2009-02-16 15:06 . 2009-02-21 23:30 <DIR> d-------- c:\program files\AVI Movie Player
2009-02-04 15:18 . 2009-02-04 15:18 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-04 15:18 . 2009-02-04 15:18 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-04 15:17 . 2009-02-04 15:21 <DIR> d-------- c:\windows\NV25483572.TMP
2009-02-04 15:17 . 2009-02-04 15:17 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-04 15:17 . 2009-01-15 08:19 206,793 --a------ c:\windows\system32\nvapps.nvb
2009-02-03 06:14 . 2009-02-03 06:14 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-01 23:06 . 2009-02-01 23:06 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 16:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-28 16:05 --------- d-----w c:\program files\EA GAMES
2009-02-27 18:31 --------- d-----w c:\program files\Steam
2009-02-24 08:00 --------- d-----w c:\documents and settings\Jacob\Application Data\MalwareRemovalBot
2009-02-18 17:12 --------- d-----w c:\documents and settings\Jacob\Application Data\BitTorrent
2009-02-03 19:45 --------- d-----w c:\program files\Microsoft Games
2009-01-18 20:18 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2009-01-18 03:31 --------- d-----w c:\program files\Google
2009-01-16 00:29 --------- d-----w c:\program files\Guild Wars
2009-01-16 00:29 --------- d-----w c:\program files\DNA
2009-01-15 13:19 6,301,248 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-01-12 00:46 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-10 11:46 --------- d-----w c:\documents and settings\Mom & Dad\Application Data\MalwareRemovalBot
2009-01-04 21:52 --------- d-----w c:\documents and settings\Jacob\Application Data\Mount&Blade
2009-01-04 16:14 --------- d-----w c:\program files\Java
2009-01-03 23:05 --------- d-----w c:\documents and settings\Mom & Dad\Application Data\Apple Computer
2009-01-03 04:37 --------- d-----w c:\program files\AIM
2009-01-03 04:35 --------- d-----w c:\program files\Common Files\AOL
2009-01-02 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-02 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-02 15:41 --------- d-----w c:\documents and settings\Mom & Dad\Application Data\Aim
2009-01-02 15:39 --------- d-----w c:\program files\BitTorrent
2008-12-06 23:08 17,144 ----a-w c:\documents and settings\Jacob\Application Data\GDIPFONTCACHEV1.DAT
2008-08-23 15:44 61,224 ----a-w c:\documents and settings\Mom & Dad\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\jak233\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\jak233\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Jacob\\Desktop\\Homework\\Stuffs\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mount and blade\\runme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war demo\\Empire.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

S0 ewhocalf;ewhocalf;c:\windows\system32\drivers\jiygrsqs.sys []
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-01 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-03-01 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-03-01 c:\windows\Tasks\wtsfpdvo.job
- c:\windows\system32\byXPJBUN.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
BHO-{23ce9627-2b25-43db-a4b9-6d6df11df66e} - (no file)
BHO-{2CADE14B-7260-4303-A127-1F7EB3789F27} - (no file)
BHO-{446FF373-211B-4A40-B777-5157CCE1E146} - (no file)
BHO-{72611494-2FF2-494B-9950-7844458D9444} - (no file)
BHO-{8CD6833D-FF33-4336-9BD0-6EAC9FE08B21} - (no file)
BHO-{B35C40D9-881D-4198-9DD5-72B1F41519B5} - (no file)
BHO-{D061D0FB-AED4-4CE8-B25A-675E8EB123C0} - c:\windows\system32\iiffCSiG.dll
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\fso9z5he.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 14:27:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\jiygrsqs.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1035525444-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1482476501-1035525444-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f9,a5,b4,f0,ea,e9,c0,c8,7e,52,59,a5,e6,c8,71,95,cc,8e,fb,bc,cd,f7,d1,
80,80,4e,a8,33,56,b7,57,fa,aa,b9,0f,e0,fa,61,13,19,17,04,79,39,0c,b0,d0,2d,\
"??"=hex:3f,69,b0,7d,5d,53,5c,70,d9,1f,7b,cc,d8,2c,7c,95

[HKEY_USERS\S-1-5-21-1482476501-1035525444-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:48,e9,1a,14,f5,3d,cd,c2,db,d8,84,97,ec,06,ff,89,3b,ee,cf,1e,61,
25,b3,dc,16,09,34,13,5a,bc,e9,45,fc,46,d5,64,08,bc,be,3a,2e,3c,cd,6a,b9,61,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-01 14:29:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 19:29:08

Pre-Run: 143,187,795,968 bytes free
Post-Run: 143,406,661,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

219 --- E O F --- 2008-12-18 12:08:18

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 01 March 2009 - 03:20 PM

Hi Klickinater,

Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 
File:: 
c:\windows\system32\drivers\jiygrsqs.sys
c:\windows\system32\byXPJBUN.dll 
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\Tasks\wtsfpdvo.job
Folder:: 
C:\VundoFix Backups
c:\program files\MalwareRemovalBot
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
Driver:: 
ewhocalf


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 March 2009 - 05:22 PM

I followed the steps and everything ran smoothly, the only small blip was that MacAfee turned back on when my computer was restarted but I got a warning window about it and turned it off again. The following is the Combofix report (after putting the script in it) (below it is the DDS scan and attached is the attach.txt):

ComboFix 09-02-28.01 - Jacob 2009-03-01 17:02:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2350 [GMT -5:00]
Running from: c:\documents and settings\Jacob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jacob\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\byXPJBUN.dll
c:\windows\system32\drivers\jiygrsqs.sys
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\Tasks\wtsfpdvo.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\Tasks\wtsfpdvo.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EWHOCALF
-------\Service_ewhocalf


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-21 23:32 . 2009-02-26 07:12 332 --a------ c:\windows\wininit.ini
2009-02-21 23:02 . 2009-02-21 23:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-21 23:02 . 2009-02-21 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 16:28 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-21 16:28 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-21 16:28 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-21 16:28 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-21 16:28 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-21 16:28 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-21 16:27 . 2009-02-21 16:27 <DIR> d-------- c:\documents and settings\Jacob\Application Data\The Creative Assembly
2009-02-16 15:06 . 2009-02-21 23:30 <DIR> d-------- c:\program files\AVI Movie Player
2009-02-04 15:18 . 2009-02-04 15:18 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-04 15:18 . 2009-02-04 15:18 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-04 15:17 . 2009-02-04 15:21 <DIR> d-------- c:\windows\NV25483572.TMP
2009-02-04 15:17 . 2009-02-04 15:17 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-04 15:17 . 2009-01-15 08:19 206,793 --a------ c:\windows\system32\nvapps.nvb
2009-02-03 06:14 . 2009-02-03 06:14 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-01 23:06 . 2009-02-01 23:06 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 19:48 --------- d-----w c:\program files\Steam
2009-02-28 16:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-28 16:05 --------- d-----w c:\program files\EA GAMES
2009-02-24 08:00 --------- d-----w c:\documents and settings\Jacob\Application Data\MalwareRemovalBot
2009-02-18 17:12 --------- d-----w c:\documents and settings\Jacob\Application Data\BitTorrent
2009-02-03 19:45 --------- d-----w c:\program files\Microsoft Games
2009-01-18 20:18 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2009-01-18 03:31 --------- d-----w c:\program files\Google
2009-01-16 00:29 --------- d-----w c:\program files\Guild Wars
2009-01-16 00:29 --------- d-----w c:\program files\DNA
2009-01-16 00:20 25,088 ----a-w c:\windows\system32\drivers\jiygrsqs.sys
2009-01-15 13:19 6,301,248 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-01-12 00:46 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-10 11:46 --------- d-----w c:\documents and settings\Mom & Dad\Application Data\MalwareRemovalBot
2009-01-04 21:52 --------- d-----w c:\documents and settings\Jacob\Application Data\Mount&Blade
2009-01-04 16:14 --------- d-----w c:\program files\Java
2009-01-03 23:05 --------- d-----w c:\documents and settings\Mom & Dad\Application Data\Apple Computer
2009-01-03 04:37 --------- d-----w c:\program files\AIM
2009-01-03 04:35 --------- d-----w c:\program files\Common Files\AOL
2009-01-02 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-02 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-02 15:41 --------- d-----w c:\documents and settings\Mom & Dad\Application Data\Aim
2009-01-02 15:39 --------- d-----w c:\program files\BitTorrent
2008-12-06 23:08 17,144 ----a-w c:\documents and settings\Jacob\Application Data\GDIPFONTCACHEV1.DAT
2008-08-23 15:44 61,224 ----a-w c:\documents and settings\Mom & Dad\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-01_14.28.29.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-01 16:02:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-01 21:57:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-01 16:02:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-01 21:57:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-01 22:07:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\jak233\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\jak233\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Jacob\\Desktop\\Homework\\Stuffs\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mount and blade\\runme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war demo\\Empire.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\fso9z5he.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 17:11:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-1035525444-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1482476501-1035525444-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f9,a5,b4,f0,ea,e9,c0,c8,7e,52,59,a5,e6,c8,71,95,cc,8e,fb,bc,cd,f7,d1,
80,80,4e,a8,33,56,b7,57,fa,aa,b9,0f,e0,fa,61,13,19,17,04,79,39,0c,b0,d0,2d,\
"??"=hex:3f,69,b0,7d,5d,53,5c,70,d9,1f,7b,cc,d8,2c,7c,95

[HKEY_USERS\S-1-5-21-1482476501-1035525444-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:ae,11,db,82,09,da,b4,65,51,5a,ae,9b,13,31,e7,d7,05,db,41,82,1f,
2b,e9,0e,e2,34,f2,c3,b9,46,ea,9b,48,d0,ef,9c,ba,4f,98,de,28,38,c4,67,84,ad,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-01 17:13:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 22:13:57
ComboFix2.txt 2009-03-01 19:29:12

Pre-Run: 143,393,271,808 bytes free
Post-Run: 143,387,373,568 bytes free

185 --- E O F --- 2008-12-18 12:08:18


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And now the DDS scan:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jacob at 17:16:36.84 on Sun 03/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2254 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacob\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209947004581
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209946993003
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacob\applic~1\mozilla\firefox\profiles\fso9z5he.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 207656]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 605512]

=============== Created Last 30 ================

2009-03-01 17:02 <DIR> --d----- C:\ComboFix
2009-03-01 08:28 <DIR> a-dshr-- C:\cmdcons
2009-03-01 08:27 161,792 a------- c:\windows\SWREG.exe
2009-03-01 08:27 98,816 a------- c:\windows\sed.exe
2009-02-21 23:32 332 a------- c:\windows\wininit.ini
2009-02-21 23:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-21 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-21 16:28 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-02-21 16:28 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-02-21 16:28 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-02-21 16:28 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-02-21 16:28 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-02-21 16:28 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-02-21 16:27 <DIR> --d----- c:\docume~1\jacob\applic~1\The Creative Assembly
2009-02-16 15:06 <DIR> --d----- c:\program files\AVI Movie Player
2009-02-04 15:18 <DIR> --d----- c:\windows\system32\AGEIA
2009-02-04 15:17 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-04 15:17 206,793 a------- c:\windows\system32\nvapps.nvb
2009-02-04 15:17 <DIR> --d----- c:\windows\NV25483572.TMP
2009-02-03 06:14 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-01 23:06 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE

==================== Find3M ====================

2009-01-17 21:34 3,568 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-15 20:17 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-15 19:20 25,088 a------- c:\windows\system32\drivers\jiygrsqs.sys
2009-01-11 19:46 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-11 19:45 201,352 a------- c:\windows\system32\PnkBstrB.exe
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-04 13:44 418,480 a------- c:\windows\system32\wrap_oal.dll
2009-01-04 13:44 115,432 a------- c:\windows\system32\OpenAL32.dll
2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-06 18:08 17,144 a------- c:\docume~1\jacob\applic~1\GDIPFONTCACHEV1.DAT
2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll

============= FINISH: 17:16:49.87 ===============

Attached Files



#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 01 March 2009 - 05:54 PM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
    You want the 32-bit version, not the 64 bit version :!:
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12".
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language, then press Continue Selecting Windows give you the 32 bit version.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u12-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 11
    Java™ 6 Update 5
    Java™ 6 Update 7
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
I really need to see a Hijackthis log, not the DDS scan.

Download and install the new version by following the instructions here: http://www.download.com/Trend-Micro-Hijack....html?tag=mncol
Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Let it install in the default folder C:\Program Files\Trend Micro\HijackThis
Please post it.

Edited by SifuMike, 01 March 2009 - 06:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 March 2009 - 06:26 PM

Java has been updated, and I'm sorry for the mix up, the link you had didn't work for me, but I assumed http://www.download.com/Trend-Micro-Hijack....html?tag=mncol was what you had in mind, here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:20 PM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209947004581
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209946993003
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5914 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 01 March 2009 - 06:35 PM

Hi Klickinater,

Your log looks clean. :thumbup2: How is the computer running?

We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 March 2009 - 06:53 PM

Thanks so much! I when I rebooted for the Java installation, I could really see a big difference. I no longer have to wait for it to think for 5 or so minutes, now its almost immediate. I'm assuming the program cleanup you have in mind is getting rid of combofix and DDS scanning etc.

But I was wondering, is there something wrong with MacAfee, shouldn't it see these infections and get rid of them at the very least? Am I wasting my money with MacAfee and is there another program which works better?

PS. I won't forget to donate for all your hard work :thumbup2:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 01 March 2009 - 07:05 PM

Hi Klickinater,

Your very welcome. :)

But I was wondering, is there something wrong with MacAfee, shouldn't it see these infections and get rid of them at the very least? Am I wasting my money with MacAfee and is there another program which works better?


Unfortunely, the Vundo infections get by all the antivirus scanners. :thumbup2: Your McAfee may indicate that there is a Vundo infection, but it is too deep and too many of them for it to remove them.
The malware makers design it so that it is very diffucult to remove.

You dont need to pay for an antivirus program, as there are three free ones. Since you already paid for McAfee, keep it until it expires then try one of these free antiviruses.

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

AVAST Home Edition User Guide
http://www.avast.com/eng/download-avast-home.html

Alvira AntiVir User Manual
http://www.free-av.com/en/documentation/index.html

AVG antivirus User Manual
http://free.avg.com/ww.download?prd=afe#tba3


Now we do the program clean up.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTMoveIt3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 March 2009 - 07:58 PM

Thanks for all your help, I had though about just letting my computer be since I could still go on the internet etc. but now I'm glad I got rid of it. My computer runs as if I had just bought it :thumbup2:

Again, thanks so much

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 01 March 2009 - 08:22 PM

Well, that is music to my ears. :thumbup2:

And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :)
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Klickinater

Klickinater
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 March 2009 - 08:38 PM

I also had some general questions about my computer (one being why it only recognizes 2.7 gigs of the 4 gigs of RAM I put in) and I was wondering where I could go to have these answered.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users