Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windowsclick . com redirect UACd.sys trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 funinthesun

funinthesun

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 23 February 2009 - 08:56 PM

Hello! This is my first post to this forum. I hope that someone will be able to assist/advise me with my computing problems! Here goes:

After being on the ticketmaster.com on Feb 19, I believe I feel prey to a JavaScript attack via Adobe Acrobat. The following happened…

1. Anti-virus-1 was downloaded (though I didn’t let it install)
2. feelyouinside . com was opened
3. google search results were redirected to windowsclick . com

I found and deleted the anti-virus-1 from C:\Documents and Settings\All Users\Application Data.

Then I downloaded and used Malwarebytes. After renaming the .exe file, it worked and found 18 bad files. Here is the log file just prior to me restarting my computer after finishing the scan:

=================================================================
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/23/2009 3:52:10 PM
mbam-log-2009-02-23 (15-52-10).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 257899
Time elapsed: 1 hour(s), 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HR\Local Settings\Temp\UACe6a1.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAClqgrrfwo.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACtwuyktqw.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACvijxmnev.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\temp\UACd51d.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACjlktuiqa.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACkomlidme.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACpeqrabdi.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACsvnfuxda.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACuyxmyxwm.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACwftrwost.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACymppkwst.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACbavbrpru.sys (Trojan.Agent) -> Delete on reboot.

=============================================================

A quick scan with Malwarebytes and a full scan with an updated Norton both come up clean. Google works (ie, no more redirecting).

Now the fun part…

1. Was I infected with something that steals passwords or enables another use to control my computer such as a backdoor trojan?
2. Is my computer now clean? Can I use it for online banking? Or is it permanently compromised (until I reformat)?
3. Is it prudent to reformat?
4. In the process of cleaning, I tried a system restore at one point, though it was blocked from working. I’ve read that the trojan can be backed-up by system restore. Should I turn off system restore, thereby deleting all saved versions to ensure the Trojan isn’t saved, and then turn it back on again?
5. The original operating system is on my E: drive, I believe portioned away from the rest. Could that have been infected?

I look forward to some advice!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 24 February 2009 - 05:55 AM

Hi,

I cannot answer your questions yet if I don't have more logs to analyze. Only the log from Malwarebytes is posted here which tells us what it has removed. This log doesn't tell us what is still present :thumbup2:

That's why...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 26 February 2009 - 06:58 PM

Hi miekiemoes,

First I'd like to thank you for your response. I have run Combofix as requested, and will post the log below. Before getting your reply, I also downloaded SuperAntiSpyware and ATF-Cleaner and ran both of them. ATF said it deleted about 400 MB from temp folders. The log for SuperAntiSpyware (not sure if you'll find this helpful) is:


===========================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2009 at 11:13 PM

Application Version : 4.25.1012

Core Rules Database Version : 3772
Trace Rules Database Version: 1731

Scan type : Complete Scan
Total Scan Time : 01:02:55

Memory items scanned : 266
Memory threats detected : 0
Registry items scanned : 6628
Registry threats detected : 27
File items scanned : 115666
File threats detected : 0

Rogue.Anti-Virus-1
HKU\S-1-5-21-956863747-3210616500-2729510263-1005\Software\AV1
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}\1.0
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}\1.0\0
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}\1.0\0\win32
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}\1.0\FLAGS
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8}\1.0\HELPDIR
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D}
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D}\ProxyStubClsid
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D}\ProxyStubClsid32
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D}\TypeLib
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D}\TypeLib#Version
HKCR\AppId\QWProtect.DLL
HKCR\AppId\QWProtect.DLL#AppID
HKCR\AppId\{29256442-2C14-48CA-B756-3EE0F8BDC774}
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}\InprocServer32
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}\InprocServer32#ThreadingModel
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}\ProgID
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}\Programmable
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}\TypeLib
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}\VersionIndependentProgID
HKCR\QWProtect.QWProtectBHO
HKCR\QWProtect.QWProtectBHO\CLSID
HKCR\QWProtect.QWProtectBHO\CurVer
HKCR\QWProtect.QWProtectBHO.1
HKCR\QWProtect.QWProtectBHO.1\CLSID

======================================



**I ran it again, and got this:
======================================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2009 at 02:43 AM

Application Version : 4.25.1012

Core Rules Database Version : 3772
Trace Rules Database Version: 1731

Scan type : Complete Scan
Total Scan Time : 01:49:35

Memory items scanned : 265
Memory threats detected : 0
Registry items scanned : 6627
Registry threats detected : 1
File items scanned : 159769
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\HR\Cookies\hr@media.adrevolver[1].txt
C:\Documents and Settings\HR\Cookies\hr@doubleclick[1].txt
C:\Documents and Settings\HR\Cookies\hr@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HR\Cookies\hr@questionmarket[2].txt
C:\Documents and Settings\HR\Cookies\hr@interclick[2].txt
C:\Documents and Settings\HR\Cookies\hr@adrevolver[1].txt
C:\Documents and Settings\HR\Cookies\hr@mediaplex[1].txt
C:\Documents and Settings\HR\Cookies\hr@ad.yieldmanager[1].txt
C:\Documents and Settings\HR\Cookies\hr@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\HR\Cookies\hr@atdmt[2].txt
C:\Documents and Settings\HR\Cookies\hr@a1.interclick[1].txt

Rogue.Anti-Virus-1
HKU\S-1-5-21-956863747-3210616500-2729510263-1005\Software\AV1
======================================================




It seems like the "AV1" will not go. I also ran Malwarebytes again and the same AV1 finding repeatedly comes up. It says it will be deleted upon rebooting, but that doesn't happened. Here is a log from just before running Combofix:
===========================
Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 5.1.2600 Service Pack 3

2/26/2009 5:44:37 PM
mbam-log-2009-02-26 (17-44-37).txt

Scan type: Quick Scan
Objects scanned: 82308
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AV1 (Rogue.AntiVirus1) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=============================================






***And finally, here is the Combofix log:
======================================
ComboFix 09-02-26.01 - HR 2009-02-26 18:13:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1528 [GMT -5:00]
Running from: c:\documents and settings\HR\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-23 21:52 . 2009-02-23 21:52 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-23 21:52 . 2009-02-23 21:52 <DIR> d-------- c:\documents and settings\HR\Application Data\SUPERAntiSpyware.com
2009-02-23 21:52 . 2009-02-23 21:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-23 21:51 . 2009-02-23 21:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-23 16:35 . 2009-02-23 16:50 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-23 16:35 . 2009-02-23 16:50 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-23 16:35 . 2009-02-23 16:50 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-23 16:35 . 2009-02-23 16:50 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-23 14:33 . 2009-02-23 14:33 <DIR> d-------- c:\documents and settings\HR\Application Data\Malwarebytes
2009-02-23 14:31 . 2009-02-23 15:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 14:31 . 2009-02-23 14:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 14:31 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 14:31 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-23 13:02 . 2009-02-23 13:02 <DIR> d-------- C:\temp
2009-02-19 21:22 . 2009-02-19 21:22 10,240 ---hs---- c:\program files\expdebug.exe
2009-02-19 21:22 . 2009-02-20 23:08 65 --a------ c:\windows\system32\winconfig32.ini
2009-02-11 02:18 . 2009-02-11 02:18 <DIR> d-------- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-23 21:50 --------- d-----w c:\program files\Symantec
2009-02-23 21:49 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-23 21:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-23 21:29 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-23 18:03 --------- d-----w c:\documents and settings\HR\Application Data\U3
2009-02-11 07:18 --------- d-----w c:\program files\Real
2009-02-11 07:18 --------- d-----w c:\program files\Common Files\Real
2009-02-09 17:17 --------- d-----w c:\documents and settings\HR\Application Data\Skype
2009-02-08 21:08 --------- d-----w c:\documents and settings\HR\Application Data\skypePM
2009-01-20 02:57 8,390 ----a-w c:\windows\system32\drivers\srtspx.cat
2009-01-20 02:57 8,390 ----a-w c:\windows\system32\drivers\srtspl.cat
2009-01-20 02:57 8,386 ----a-w c:\windows\system32\drivers\srtsp.cat
2009-01-20 02:57 43,824 ----a-w c:\windows\system32\drivers\srtspx.sys
2009-01-20 02:57 319,664 ----a-w c:\windows\system32\drivers\srtspl.sys
2009-01-20 02:57 279,600 ----a-w c:\windows\system32\drivers\srtsp.sys
2009-01-20 02:57 1,431 ----a-w c:\windows\system32\drivers\srtspl.inf
2009-01-20 02:57 1,422 ----a-w c:\windows\system32\drivers\srtspx.inf
2009-01-20 02:57 1,416 ----a-w c:\windows\system32\drivers\srtsp.inf
2009-01-13 19:43 --------- d-----w c:\documents and settings\HR\Application Data\Move Networks
2008-12-27 22:13 65,744 ----a-w c:\documents and settings\HR\Application Data\GDIPFONTCACHEV1.DAT
2008-04-05 13:56 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-01-09 18:05 116 ----a-w c:\documents and settings\HR\Application Data\wklnhst.dat
2006-12-25 17:08 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-09-15 23:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"EPSON Stylus C42 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE" [2002-02-19 74240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-11 198160]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-22 115560]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office 2002\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-20 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-22 23888]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-03-17 1544704]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74dea32c-01f1-11de-9cff-001b24250d12}]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{783c3698-0d64-11dc-9ba4-001636b16b8f}]
\Shell\AutoRun\command - WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b956641a-b2fe-11dc-9be2-001636b16b8f}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9da0986-6004-11dd-9c28-001636b16b8f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc4965ca-06fd-11dc-9b9d-001636b16b8f}]
\Shell\AutoRun\command - g:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a4ad71-01d3-11de-9cfb-001b24250d12}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-25 c:\windows\Tasks\Dr. Zeus - Kangana.job
- d:\music\Dr Zeus - Kangna.mp3 [2006-08-31 20:01]

2008-01-31 c:\windows\Tasks\Ja Rule.job
- d:\my music\Ja Rule\Ja Rule feat. Ashanti - Always On Time.mp3 [2002-02-17 14:28]

2008-02-28 c:\windows\Tasks\Jagged Edge.job
- d:\itunes music\Jagged Edge\Jagged Little Thrill\02 Where The Party At.mp3 [2007-08-04 01:31]

2009-02-16 c:\windows\Tasks\Static-X - Push it.job
- d:\my music\Static X\Static-X - Push it.mp3 [2007-04-17 14:01]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.shopping.hp.com/webapp/shopping/generic_subcategory.do?storeName=storefronts&landing=storefronts&category=esp_notebooks&subcat1=esp_notebooks&catLevel=2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI698F~1\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 18:18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????\??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-956863747-3210616500-2729510263-1005\Software\AV1\AV1\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}]
@DACL=(02 0000)
"id"="maf_309511901"
"{9BB761E6-288E-4782-8538-9069141F34B6}"=dword:00000001
"{BE8A5069-82B0-4214-98DB-715C2B6D3117}"=hex:d9,07,02,00,04,00,13,00,15,00,17,
00,01,00,9c,00
"{84283E6B-C377-498f-BF91-698E877555CC}"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-02-26 18:23:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-26 23:23:10

Pre-Run: 15,179,980,800 bytes free
Post-Run: 15,162,847,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

256 --- E O F --- 2009-02-12 08:03:27

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 27 February 2009 - 05:37 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\program files\expdebug.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 February 2009 - 07:38 AM

Hello!

I removed viewpoint as you suggested. Also, here are the results of the virustotal.com scan:

The first results said that the file had already been analyzed and I pasted that here first. I also reanalyzed my file and have pasted those results below this one.


=========================
MD5: 82c4f684e04aa9b0ea355e0c3471f119
First received: 02.20.2009 18:47:20 (CET)
Date: 02.20.2009 18:47:19 (CET) [>6D]
Results: 4/39
Permalink: analisis/f1bdff389804cbbaa83b7c26a9fd20ff


File EBVeyBut.exe received on 02.20.2009 18:46:22 (CET)
Current status: finished

Result: 4/39 (10.26%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.20 -
AhnLab-V3 2009.2.20.1 2009.02.20 -
AntiVir 7.9.0.85 2009.02.20 HEUR/Malware
Authentium 5.1.0.4 2009.02.20 W32/Threat-HLLSI-based!Maximus
Avast 4.8.1335.0 2009.02.19 -
AVG 8.0.0.237 2009.02.20 -
BitDefender 7.2 2009.02.20 -
CAT-QuickHeal 10.00 2009.02.20 -
ClamAV 0.94.1 2009.02.20 -
Comodo 983 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.20 -
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6367 2009.02.20 -
F-Prot 4.4.4.56 2009.02.20 W32/Threat-HLLSI-based!Maximus
F-Secure 8.0.14470.0 2009.02.20 -
Fortinet 3.117.0.0 2009.02.20 -
GData 19 2009.02.20 -
Ikarus T3.1.1.45.0 2009.02.20 -
K7AntiVirus 7.10.638 2009.02.20 -
Kaspersky 7.0.0.125 2009.02.20 -
McAfee 5530 2009.02.19 -
McAfee+Artemis 5530 2009.02.19 -
Microsoft 1.4306 2009.02.20 -
NOD32 3873 2009.02.20 -
Norman 6.00.06 2009.02.20 -
nProtect 2009.1.8.0 2009.02.20 -
Panda 10.0.0.10 2009.02.20 -
PCTools 4.4.2.0 2009.02.20 -
Prevx1 V2 2009.02.20 -
Rising 21.17.42.00 2009.02.20 -
SecureWeb-Gateway 6.7.6 2009.02.20 Heuristic.Malware
Sophos 4.39.0 2009.02.20 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.20 -
TheHacker 6.3.2.3.261 2009.02.20 -
TrendMicro 8.700.0.1004 2009.02.20 -
VBA32 3.12.10.0 2009.02.20 -
ViRobot 2009.2.20.1617 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.20 -
Additional information
File size: 10240 bytes
MD5...: 82c4f684e04aa9b0ea355e0c3471f119
SHA1..: 96612e66fbf413a9f770113c6f06fabad19b5cf4
SHA256: f8ec9c0e78550c3ea8e4654ea9b9c8d130c8f3fc10e76df7f9fce16821d13e2f
SHA512: d68d4494db43c28a0bb16d6d7069ad65328bb836e899913e13b7b641a9472cf2
de21cb5fa72416adf3203315de4f9693f32171da2e93e00061eaa82646359a0f
ssdeep: 192:EPV//q8dQ4r4WSZg7LLHHMYM2CEUqDOtEhWRcLWOh2Jl:EM4rIZss5VEUqTh
WRgWG2

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401c00
timedatestamp.....: 0x499dc74b (Thu Feb 19 20:55:39 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xf8e 0x1000 6.09 a650461aaf2f4aa4c5b8aac98cf28fcb
.rdata 0x2000 0x9dd 0xa00 5.21 6532fde73d4d65c03a164fc71cf8bcec
.data 0x3000 0x98 0x200 0.90 9f774bca3595934e9c326647f0943f33
.rsrc 0x4000 0x360 0x400 2.81 169df7557b3a72026f775524ce926471
.reloc 0x5000 0x23c 0x400 3.45 83dd9823449b32ba73caf348b781f81c

( 8 imports )
> ntdll.dll: RtlAllocateHeap, RtlReAllocateHeap, _vsnprintf, RtlFreeHeap, RtlGetLastWin32Error, NtCreateSection, RtlCreateUserThread, NtOpenProcess, RtlEqualUnicodeString, NtQuerySystemInformation, NtMapViewOfSection, CsrClientCallServer, RtlCreateUnicodeStringFromAsciiz, memset, memcpy, atol
> SHLWAPI.dll: StrChrA, StrStrIA
> WSOCK32.dll: -, -, -, -, -, -, -, -, -
> ADVAPI32.dll: LookupPrivilegeValueA, OpenProcessToken, RegQueryValueExA, RegCloseKey, RegOpenKeyExA, RegCreateKeyExA, RegDeleteKeyA, RegSetValueExA, AdjustTokenPrivileges
> urlmon.dll: URLDownloadToFileA
> KERNEL32.dll: CreateThread, ExitThread, Sleep, GetModuleHandleA, VirtualAlloc, VirtualFree, GetVersionExA, GetSystemInfo, GetVolumeInformationA, lstrcpyA, ReadFile, WriteFile, GetFileSize, CreateFileA, GetModuleFileNameA, SetFileAttributesA, CopyFileA, lstrcatA, GetCommandLineA, OpenFile, CreateMutexA, HeapCreate, ExitProcess, CloseHandle, OutputDebugStringA, lstrlenA, GetProcAddress, LoadLibraryA
> USER32.dll: GetDesktopWindow
> SHELL32.dll: SHGetFolderPathA, ShellExecuteA

( 0 exports )

===========================================





Reanalyzed:
============================================
File expdebug.exe received on 02.27.2009 13:15:57 (CET)
Current status: finished


Result: 6/39 (15.39%)
Compact Print results

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.27 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.02.27 HEUR/Malware
Authentium 5.1.0.4 2009.02.27 W32/Threat-HLLSI-based!Maximus
Avast 4.8.1335.0 2009.02.26 -
AVG 8.0.0.237 2009.02.27 -
BitDefender 7.2 2009.02.27 -
CAT-QuickHeal 10.00 2009.02.27 -
ClamAV 0.94.1 2009.02.27 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.27 -
eSafe 7.0.17.0 2009.02.26 Win32.HEURMalware
eTrust-Vet 31.6.6376 2009.02.27 -
F-Prot 4.4.4.56 2009.02.26 W32/Threat-HLLSI-based!Maximus
F-Secure 8.0.14470.0 2009.02.27 -
Fortinet 3.117.0.0 2009.02.27 -
GData 19 2009.02.27 -
Ikarus T3.1.1.45.0 2009.02.27 -
K7AntiVirus 7.10.648 2009.02.26 -
Kaspersky 7.0.0.125 2009.02.27 -
McAfee 5537 2009.02.26 -
McAfee+Artemis 5537 2009.02.26 Generic!Artemis
Microsoft 1.4306 2009.02.27 -
NOD32 3894 2009.02.27 -
Norman 6.00.06 2009.02.26 -
nProtect 2009.1.8.0 2009.02.27 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.27 -
Prevx1 V2 2009.02.27 -
Rising 21.18.42.00 2009.02.27 -
SecureWeb-Gateway 6.7.6 2009.02.27 Heuristic.Malware
Sophos 4.39.0 2009.02.27 -
Sunbelt 3.2.1858.2 2009.02.26 -
Symantec 10 2009.02.27 -
TheHacker 6.3.2.5.267 2009.02.27 -
TrendMicro 8.700.0.1004 2009.02.27 -
VBA32 3.12.10.1 2009.02.26 -
ViRobot 2009.2.27.1627 2009.02.27 -
VirusBuster 4.5.11.0 2009.02.26 -
Additional information
File size: 10240 bytes
MD5...: 82c4f684e04aa9b0ea355e0c3471f119
SHA1..: 96612e66fbf413a9f770113c6f06fabad19b5cf4
SHA256: f8ec9c0e78550c3ea8e4654ea9b9c8d130c8f3fc10e76df7f9fce16821d13e2f
SHA512: d68d4494db43c28a0bb16d6d7069ad65328bb836e899913e13b7b641a9472cf2
de21cb5fa72416adf3203315de4f9693f32171da2e93e00061eaa82646359a0f
ssdeep: 192:EPV//q8dQ4r4WSZg7LLHHMYM2CEUqDOtEhWRcLWOh2Jl:EM4rIZss5VEUqTh
WRgWG2

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1c00
timedatestamp.....: 0x499dc74b (Thu Feb 19 20:55:39 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xf8e 0x1000 6.09 a650461aaf2f4aa4c5b8aac98cf28fcb
.rdata 0x2000 0x9dd 0xa00 5.21 6532fde73d4d65c03a164fc71cf8bcec
.data 0x3000 0x98 0x200 0.90 9f774bca3595934e9c326647f0943f33
.rsrc 0x4000 0x360 0x400 2.81 169df7557b3a72026f775524ce926471
.reloc 0x5000 0x23c 0x400 3.45 83dd9823449b32ba73caf348b781f81c

( 8 imports )
> ntdll.dll: RtlAllocateHeap, RtlReAllocateHeap, _vsnprintf, RtlFreeHeap, RtlGetLastWin32Error, NtCreateSection, RtlCreateUserThread, NtOpenProcess, RtlEqualUnicodeString, NtQuerySystemInformation, NtMapViewOfSection, CsrClientCallServer, RtlCreateUnicodeStringFromAsciiz, memset, memcpy, atol
> SHLWAPI.dll: StrChrA, StrStrIA
> WSOCK32.dll: -, -, -, -, -, -, -, -, -
> ADVAPI32.dll: LookupPrivilegeValueA, OpenProcessToken, RegQueryValueExA, RegCloseKey, RegOpenKeyExA, RegCreateKeyExA, RegDeleteKeyA, RegSetValueExA, AdjustTokenPrivileges
> urlmon.dll: URLDownloadToFileA
> KERNEL32.dll: CreateThread, ExitThread, Sleep, GetModuleHandleA, VirtualAlloc, VirtualFree, GetVersionExA, GetSystemInfo, GetVolumeInformationA, lstrcpyA, ReadFile, WriteFile, GetFileSize, CreateFileA, GetModuleFileNameA, SetFileAttributesA, CopyFileA, lstrcatA, GetCommandLineA, OpenFile, CreateMutexA, HeapCreate, ExitProcess, CloseHandle, OutputDebugStringA, lstrlenA, GetProcAddress, LoadLibraryA
> USER32.dll: GetDesktopWindow
> SHELL32.dll: SHGetFolderPathA, ShellExecuteA

( 0 exports )

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 27 February 2009 - 07:41 AM

Hi,

Please delete the c:\program files\expdebug.exe file

then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 February 2009 - 08:14 AM

I deleted the file and then uninstalled combofix as advised. As for how things are working... since the first run of Malwarebytes, google had been back to normal. And the google redirect was the only visible change I could see, other than the scans picking things up. So, I suppose i'd say no change. :thumbup2:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 27 February 2009 - 08:22 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 February 2009 - 08:36 AM

I really do appreciate your help. But before you go, I have just a couple questions. Malwarebytes still brings this up: HKEY_CURRENT_USER\SOFTWARE\AV1. Is there a way to get rid of it? A couple days ago a looked it up in the registry editor and tried to delete it but I was unable to.

Also, do you think my computer is now secure? Can I again use it to log into personal accounts?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 27 February 2009 - 09:06 AM

Hi,

It's indeed a locked key. I see you know how to use regedit and browse to that key?
If you rightclick the AV1 key, you should be able to change permissions in the properties, so give yourself full access and empty out the deny boxes. Then you should be able to delete that key.
Let me know :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 February 2009 - 09:24 AM

I've looked in the registry before... more out of curiosity, haha. So I went in and it's not working. AV1 and it's key below it, also called AV1 both have full control and read checked for allow and nothing for deny. However, the key below whose name has maybe 20 different random numbers and letters has all 6 boxes faded out without any being checked. So I assume the problem is there... What do you think?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 27 February 2009 - 09:39 AM

Yes, it's the subkey {F275E931-AFEC-4f70-B0D4-CC2731B945E0} that is locked there, so rightclick that one and change ownership and give yourself full access.
Then you'll be able to delete that subkey and also the AV1
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 February 2009 - 09:44 AM

right, but the boxes are gray. it won't let me click any of the boxes under permissions, neither allow nor deny and none are checked.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:46 AM

Posted 27 February 2009 - 09:56 AM

Ok, do next.. to make it easier for you...

In case you didn't delete combofix yet..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

REGLOCKDEL::
[HKEY_USERS\S-1-5-21-956863747-3210616500-2729510263-1005\Software\AV1\AV1\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}]
[HKEY_CURRENT_USER\SOFTWARE\AV1\AV1\{F275E931-AFEC-4f70-B0D4-CC2731B945E0}]
[HKEY_CURRENT_USER\SOFTWARE\AV1]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again and should delete that key
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 funinthesun

funinthesun
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 February 2009 - 09:58 AM

I figured it out! I had to add myself as an "object" and then I was able to check the permission boxes and ultimately delete them all. Wonderful!

Ok, last question.... and yes, I might be a bit paranoid that there is still something on my computer (it's been years since I had anything like this happen)... but in your opinion, my computer is safe and free of malware??




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users