Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Hijack.userinit in Registry Data Items


  • This topic is locked This topic is locked
22 replies to this topic

#1 TarHeel1

TarHeel1

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 June 2009 - 04:56 PM

Referred by my previous thread:

http://www.bleepingcomputer.com/forums/ind...p;#entry1302361

Any help would be greatly appreciated. Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 20 June 2009 - 09:43 AM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) If you still need help, please let me know by replying to this thread. :)

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please give me some time to analyse your logs, I will be back shortly.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 20 June 2009 - 10:42 AM

Heya,

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Now let us check for rootkits:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Finally please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post back with the logs from gmer and ComboFix as well as any remaining problems you might have.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 20 June 2009 - 02:42 PM

GMER Log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-20 15:16:46
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

COMBO FIX Log:

ComboFix 09-06-20.01 - Marc 06/20/2009 15:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.441 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\chfyosn.exe
c:\program files\Common
c:\windows\dll
c:\windows\system32\3361
C:\mupwjiav.exe
c:\program files\Common\_helper.sig
c:\program files\hp\digital imaging\bin\hpqddcmn.dll
c:\windows\Install.txt
c:\windows\irc.txt
c:\windows\kb913800.exe
c:\windows\system32\Install.txt
c:\windows\wiaserviv.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_DHCPSRV
-------\Legacy_ISADISK
-------\Legacy_JMNHHGRTJA35UJGHUYKJ6R8IO9IUJG80
-------\Legacy_PODMENA
-------\Legacy_PODMENADRV


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-20 19:27 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-16 23:17 . 2009-06-20 19:30 117760 ----a-w- c:\documents and settings\Marc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 23:17 . 2009-06-16 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-16 23:16 . 2009-06-16 23:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 23:16 . 2009-06-16 23:16 -------- d-----w- c:\documents and settings\Marc\Application Data\SUPERAntiSpyware.com
2009-06-16 23:16 . 2009-06-16 23:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-16 21:55 . 2009-06-16 21:55 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-27 22:08 . 2009-05-27 22:08 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-27 22:08 . 2009-05-27 22:08 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-27 22:08 . 2009-05-27 22:08 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-27 22:08 . 2009-05-27 22:08 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 19:11 . 2006-10-12 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-16 21:55 . 2009-02-18 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 17:20 . 2009-02-18 23:09 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-02-18 23:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 22:08 . 2009-04-22 22:08 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-22 22:08 . 2009-02-18 23:08 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 09:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-11-16 13:51 . 2008-11-16 13:51 19676 ----a-w- c:\program files\Common Files\hodinuhat._dl
2008-11-16 06:01 . 2008-11-16 06:01 12649 ----a-w- c:\program files\Common Files\orylyxas.vbs
2008-11-16 06:01 . 2008-11-16 06:01 19393 ----a-w- c:\program files\Common Files\gopupitu.vbs
2008-11-16 06:01 . 2008-11-16 06:01 11757 ----a-w- c:\program files\Common Files\dymihupi._sy
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-03-30 21:45 . 2006-03-30 21:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2006-10-18 01:13 . 2006-08-01 19:35 67112 c:\program files\AIM\bak\aim.exe
2006-10-18 01:13 . 2006-08-01 20:35 67112 c:\program files\AIM\aim.exe

2006-01-02 22:41 . 2006-01-02 22:41 45056 c:\program files\ATI Technologies\ATI.ACE\bak\cli.exe

2005-06-10 15:44 . 2005-06-10 15:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2005-06-10 15:44 . 2005-06-10 15:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2004-12-13 20:30 . 2004-12-13 20:30 58992 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-10-12 14:58 . 2005-12-10 01:29 49152 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2006-10-12 14:56 . 2006-06-29 17:13 1032192 c:\program files\Dell\QuickSet\bak\quickset.exe

2006-07-17 02:29 . 2006-07-17 02:29 389120 c:\program files\Dell Support\bak\DSAgnt.exe

2006-10-12 15:09 . 2006-10-12 15:09 169984 c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe

2007-06-30 12:41 . 2007-06-30 12:41 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2006-12-11 01:52 . 2006-12-11 01:52 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2006-12-11 01:52 . 2006-12-11 01:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2005-08-16 09:37 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-04-14 10:42 . 2008-04-14 10:42 1695232 c:\program files\Messenger\msmsgs.exe

2006-10-12 14:57 . 2003-09-10 07:24 20480 c:\program files\NetWaiting\bak\netWaiting.exe

2005-12-07 21:05 . 2005-12-07 21:05 1537696 c:\program files\Norton Ghost\Agent\bak\GhostTray.exe

2006-10-12 15:00 . 2006-10-12 15:00 98304 c:\program files\QuickTime\bak\bak\qttask.exe
2008-05-27 14:50 . 2008-05-27 14:50 413696 c:\program files\QuickTime\QTTask.exe

2006-10-12 15:00 . 2006-10-12 15:00 98304 c:\program files\QuickTime\bak\bak\qttask.exe

2006-10-12 14:56 . 2006-03-08 16:48 761947 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2005-08-30 14:47 . 2005-08-30 14:47 823362 c:\program files\Trend Micro\Internet Security 12\bak\pccguide.exe

2005-08-16 00:38 . 2006-04-11 23:39 176201 c:\program files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe

2005-08-16 09:37 . 2005-09-29 19:01 67584 c:\windows\ehome\bak\ehtray.exe
2005-08-16 09:37 . 2004-08-10 09:04 59392 c:\windows\ehome\ehtray.exe

2005-08-16 09:18 . 2004-08-10 10:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 09:18 . 2008-04-14 10:42 15360 c:\windows\system32\ctfmon.exe

2006-10-12 14:26 . 2005-12-19 13:08 1347584 c:\windows\system32\bak\WLTRAY.exe

2006-10-12 15:01 . 2004-12-06 06:05 127035 c:\windows\system32\dla\bak\tfswctrl.exe

2006-10-22 22:15 . 2002-11-05 18:34 188416 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-17 518488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-12 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/18/2009 7:08 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1003344]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 10:47 AM 202768]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 10:47 AM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 10:47 AM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 10:47 AM 35856]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 10:47 AM 262215]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S2 download02;Remote TCP/IP v;c:\windows\System32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 wowsystemcode123;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
download02
wowsystemcode123
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:08]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.unc.edu/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 15:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\gearsec.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-06-20 15:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 19:35

Pre-Run: 39,166,291,968 bytes free
Post-Run: 39,395,074,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

213 --- E O F --- 2009-06-11 03:21

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 21 June 2009 - 10:04 AM

Heya TarHeel1 :thumbup2:

Combofix started cleaning of some of the bad entries. Let's keep going. :)

Please do the following:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\hodinuhat._dl
c:\program files\Common Files\orylyxas.vbs
c:\program files\Common Files\gopupitu.vbs
c:\program files\Common Files\dymihupi._sy
Folder::
c:\program files\Adobe\Acrobat 7.0\Reader\bak
c:\program files\AIM\bak
c:\program files\ATI Technologies\ATI.ACE\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\Symantec Shared\bak
c:\program files\CyberLink\PowerDVD\bak
c:\program files\Dell\QuickSet\bak
c:\program files\Dell Support\bak
c:\program files\Google\Google Desktop Search\bak
c:\program files\Google\GoogleToolbarNotifier\bak
c:\program files\HP\HP Software Update\bak
c:\program files\Messenger\bak
c:\program files\NetWaiting\bak
c:\program files\Norton Ghost\Agent\bak
c:\program files\QuickTime\bak
c:\program files\Synaptics\SynTP\bak
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\bak
c:\windows\ehome\bak
c:\windows\system32\bak
c:\windows\system32\dla\bak
c:\windows\system32\spool\drivers\w32x86\3\bak\

Driver::
download02
wowsystemcode123

NetSvc::
download02
wowsystemcode123


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 21 June 2009 - 01:11 PM

ComboFix Log:



ComboFix 09-06-20.04 - Marc 06/21/2009 13:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.495 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marc\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\program files\Common Files\dymihupi._sy"
"c:\program files\Common Files\gopupitu.vbs"
"c:\program files\Common Files\hodinuhat._dl"
"c:\program files\Common Files\orylyxas.vbs"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\Acrobat 7.0\Reader\bak
c:\program files\AIM\bak
c:\program files\ATI Technologies\ATI.ACE\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\Symantec Shared\bak
c:\program files\CyberLink\PowerDVD\bak
c:\program files\Dell Support\bak
c:\program files\Dell\QuickSet\bak
c:\program files\Google\Google Desktop Search\bak
c:\program files\Google\GoogleToolbarNotifier\bak
c:\program files\HP\HP Software Update\bak
c:\program files\Messenger\bak
c:\program files\NetWaiting\bak
c:\program files\Norton Ghost\Agent\bak
c:\program files\QuickTime\bak
c:\program files\Synaptics\SynTP\bak
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\bak
c:\windows\ehome\bak
c:\windows\system32\bak
c:\windows\system32\config\systemprofile\Application Data\gadcom
c:\windows\system32\dla\bak
c:\windows\system32\spool\drivers\w32x86\3\bak\
c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
c:\program files\AIM\bak\aim.exe
c:\program files\ATI Technologies\ATI.ACE\bak\cli.exe
c:\program files\Common Files\dymihupi._sy
c:\program files\Common Files\gopupitu.vbs
c:\program files\Common Files\hodinuhat._dl
c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
c:\program files\Common Files\orylyxas.vbs
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\Dell Support\bak\DSAgnt.exe
c:\program files\Dell\QuickSet\bak\quickset.exe
c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe
c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
c:\program files\Messenger\bak\msmsgs.exe
c:\program files\NetWaiting\bak\netWaiting.exe
c:\program files\Norton Ghost\Agent\bak\GhostTray.exe
c:\program files\QuickTime\bak\bak\qttask.exe
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe
c:\windows\ehome\bak\ehtray.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\WLTRAY.exe
c:\windows\system32\dla\bak\tfswctrl.exe
c:\windows\system32\spool\drivers\w32x86\3\bak\\hpztsb07.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOWNLOAD02
-------\Legacy_WOWSYSTEMCODE123
-------\Service_download02
-------\Service_wowsystemcode123


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-20 19:27 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-20 19:27 . 2008-04-14 10:42 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-16 23:17 . 2009-06-21 18:03 117760 ----a-w- c:\documents and settings\Marc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 23:17 . 2009-06-16 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-16 23:16 . 2009-06-16 23:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 23:16 . 2009-06-16 23:16 -------- d-----w- c:\documents and settings\Marc\Application Data\SUPERAntiSpyware.com
2009-06-16 23:16 . 2009-06-16 23:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-16 21:55 . 2009-06-16 21:55 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-27 22:08 . 2009-05-27 22:08 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-27 22:08 . 2009-05-27 22:08 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-27 22:08 . 2009-05-27 22:08 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-27 22:08 . 2009-05-27 22:08 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 18:00 . 2006-10-12 14:57 -------- d-----w- c:\program files\NetWaiting
2009-06-21 17:57 . 2006-10-12 15:00 -------- d-----w- c:\program files\QuickTime
2009-06-21 17:57 . 2006-10-12 15:15 -------- d-----w- c:\program files\Dell Support
2009-06-21 17:57 . 2006-10-12 15:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-21 17:57 . 2006-10-18 01:13 -------- d-----w- c:\program files\AIM
2009-06-20 19:11 . 2006-10-12 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-16 21:55 . 2009-02-18 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 17:20 . 2009-02-18 23:09 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-02-18 23:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 22:08 . 2009-04-22 22:08 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-22 22:08 . 2009-02-18 23:08 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 09:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_19.31.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-21 18:02 . 2009-06-21 18:02 16384 c:\windows\Temp\Perflib_Perfdata_8f4.dat
+ 2009-06-21 18:02 . 2009-06-21 18:02 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
+ 2005-08-16 09:18 . 2009-06-20 19:34 62434 c:\windows\system32\perfc009.dat
- 2005-08-16 09:18 . 2009-06-17 01:26 62434 c:\windows\system32\perfc009.dat
+ 2005-08-16 09:18 . 2009-06-20 19:34 402994 c:\windows\system32\perfh009.dat
- 2005-08-16 09:18 . 2009-06-17 01:26 402994 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-17 518488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-12 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/18/2009 7:08 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1003344]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 10:47 AM 202768]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 10:47 AM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 10:47 AM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 10:47 AM 35856]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 10:47 AM 262215]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:08]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.unc.edu/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 14:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\gearsec.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-06-21 14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 18:07
ComboFix2.txt 2009-06-20 19:35

Pre-Run: 39,342,022,656 bytes free
Post-Run: 39,469,174,784 bytes free

218 --- E O F --- 2009-06-11 03:21

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 22 June 2009 - 06:57 AM

Hi TarHeel1 :thumbup2:

things are looking better. :) How is your PC doing?

Please do the following:
Open notepad and copy/paste the text in the codebox below into it:
@echo off
for %%g in (
"C:\Qoobox\Quarantine\C\program files\hp\digital imaging\bin\hpqddcmn.dll.vir"
) do zip Files_for_submission %%g
del %0
ave this as zip.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on zip.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here --> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please post back once you have uploaded the file. :)

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 22 June 2009 - 04:58 PM

I ran the program but it did not create a separate file. Am I doing something incorrectly? Thanks for your help.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 22 June 2009 - 06:56 PM

Hi TarHeel1,

We're going to upload the file manually.
Please do the following:
Click on the following link: http://www.bleepingcomputer.com/submit-malware.php?channel=4

There navigate to the following folder C:\qoobox\quarantine\C\program files\hp\digital imaging\bin\ and upload hpqddcmn.dll.vir
Add the link to your topic: http://www.bleepingcomputer.com/forums/t/234670/infected-hijackuserinit-in-registry-data-items/
In the comment box please enter the following information:
False Positive, file from HP.
original location: C:\program files\hp\digital imaging\bin

and send the file.

Afterwards please open Explorer and navigate to the same folder: C:\qoobox\quarantine\C\program files\hp\digital imaging\bin.
Do a right click on the file hpqddcmn.dll.vir and select rename. Edit the file name to hpqddcmn.dll.

Finally please copy the file back to its original location: C:\program files\hp\digital imaging\bin

please post back and tell me if the upload was successful as well as any remaining problems you might have.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 22 June 2009 - 07:28 PM

The upload was successful. Again, thank you very much for your help.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 23 June 2009 - 06:04 AM

Hi TarHeel1

Your very welcome! :thumbup2:

There are now only a couple of things left to do, please start with the following:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back the log and any remaining problems you might have.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 23 June 2009 - 07:58 PM

It failed when I attempted to download.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 25 June 2009 - 07:08 AM

Heya TarHeel1, :thumbup2:

What happened? When did the download fail and do you know why it failed? Did you try only once or did it fail several times?
Kaspersky downloads quite a lot of data, if you think that the size of the download may have been an issue please try another online scanner like ESET, which is much smaller:
Instructions for the ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 TarHeel1

TarHeel1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 27 June 2009 - 10:28 AM

ESET SCAN:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\mupwjiav.exe.vir Win32/Rustock.NIW trojan deleted - quarantined
C:\WINDOWS\system32\rr64_c.exe Win32/PSW.Gamania.NBN trojan cleaned by deleting - quarantined

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 27 June 2009 - 12:46 PM

Hi TarHeel1, :thumbup2:

that looks promising. :)
please create a new log with DDS and post it here:
  • If you have already deleted your copy of DDS, please download it again from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users