Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Source Code for Exobot Android Banking Trojan Leaked Online

Featured Deal: Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

Photo

Google Redirect Virus

Started by sprtn262 , Dec 08 2009 05:11 PM

  • This topic is locked This topic is locked
6 replies to this topic

#1 sprtn262

sprtn262

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:12:43 AM

Posted 08 December 2009 - 05:11 PM

Greetings.

I just had my computer fixed by m0le and now I am starting a new thread with the information from my wife's computer.

Attached are the DDS and RootRepeal Logs.

Thanks again for the help.

DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Melissa France at 16:48:29.17 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1591 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1127748615\ee\AOLHostManager.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1127748615\ee\AOLServiceHost.exe
C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Melissa France\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6066\SiteAdv.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\docume~1\meliss~1\locals~1\temp\E_S29.tmp" /EF "HKCU"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1127748615\ee\AOLHostManager.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6028\SiteAdv.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Motive SmartBridge] c:\progra~1\virtua~1\smartb~1\SprintDSLAlert.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\meliss~1\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6066\SiteAdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli rhonst.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\meliss~1\applic~1\mozilla\firefox\profiles\4pt4h7lg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - component: c:\documents and settings\melissa france\application data\mozilla\firefox\profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\siteadvisor\6066\ff\components\FFHook.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {FAA20835-20FF-440F-8974-2AEFDE83151A} - c:\documents and settings\melissa france\local settings\application data\{FAA20835-20FF-440F-8974-2AEFDE83151A}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-13 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-13 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-16 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-13 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-13 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-13 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-13 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-13 34248]

=============== Created Last 30 ================

2009-12-08 11:21:42 1264 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-11-29 18:29:16 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-11-29 18:27:33 0 d-----w- C:\Netgear
2009-11-25 01:44:44 0 d-----w- c:\docume~1\meliss~1\applic~1\Malwarebytes
2009-11-25 01:44:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 01:44:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 01:44:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:44:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-14 16:09:57 0 d-----w- c:\docume~1\meliss~1\applic~1\Picaboo
2009-11-14 16:01:09 0 d-----w- c:\program files\Picaboo

==================== Find3M ====================

2009-10-23 23:35:40 74036 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-20 18:39:43 19741 ----a-w- c:\program files\common files\muhezebyf.vbs
2009-09-20 18:39:43 18942 ----a-w- c:\windows\icebipoxoq.com
2009-09-20 18:39:43 18475 ----a-w- c:\windows\system32\yranoxyn.com
2009-09-20 18:39:43 18244 ----a-w- c:\program files\common files\uwuraner.lib
2009-09-20 18:39:43 11422 ----a-w- c:\windows\system32\necijywas.com
2009-09-20 18:39:43 10303 ----a-w- c:\windows\system32\evodywy.exe
2009-09-20 18:39:42 12106 ----a-w- c:\windows\system32\nohodis.bin
2009-09-20 15:05:28 17234 ----a-w- c:\program files\common files\ugysocuda.com
2009-09-20 15:05:28 17010 ----a-w- c:\windows\system32\syqo.exe
2009-09-20 15:05:28 16587 ----a-w- c:\windows\kozalis.sys
2009-09-20 15:05:28 14261 ----a-w- c:\windows\seveziful.sys
2009-09-20 15:05:28 12807 ----a-w- c:\windows\yvybesedu.reg
2009-09-20 15:05:27 19734 ----a-w- c:\windows\icyjema.reg
2009-09-20 15:05:27 17220 ----a-w- c:\windows\sujoru.exe
2009-09-20 15:05:27 16507 ----a-w- c:\windows\fune.exe
2009-09-20 15:05:27 11181 ----a-w- c:\windows\system32\idobugyciz.scr
2009-09-20 15:05:27 10234 ----a-w- c:\windows\inewofole.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-04-24 15:00:47 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:49:51.75 ===============

Root Repeal Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/08 16:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0976000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5BC000 Size: 8192 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_fbgcd1imchcxjt5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_okvlgxk6t43rkhm
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Melissa France\Cookies\melissa_france@bleepingcomputer[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Melissa France\Cookies\melissa_france@bleepingcomputer[1].txt
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\melissa france\local settings\temp\~df9df4.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: c:\documents and settings\melissa france\local settings\temp\~dff6b7.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

==EOF==

BC AdBot (Login to Remove)

 

#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 08 December 2009 - 07:22 PM

Hi again, sprtn262. :(

The tell-tale temp files at the end of the RootRepeal log tell us that your wife's PC is infected in a similar fashion to yours.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 sprtn262

sprtn262
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:12:43 AM

Posted 08 December 2009 - 08:54 PM

Adding Combo Fix log..

ComboFix 09-12-08.03 - Melissa France 12/08/2009 20:31:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1786 [GMT -5:00]
Running from: c:\documents and settings\Melissa France\Desktop\comfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Melissa France\Local Settings\Application Data\{FAA20835-20FF-440F-8974-2AEFDE83151A}
c:\documents and settings\Melissa France\Local Settings\Application Data\{FAA20835-20FF-440F-8974-2AEFDE83151A}\chrome.manifest
c:\documents and settings\Melissa France\Local Settings\Application Data\{FAA20835-20FF-440F-8974-2AEFDE83151A}\chrome\content\_cfg.js
c:\documents and settings\Melissa France\Local Settings\Application Data\{FAA20835-20FF-440F-8974-2AEFDE83151A}\chrome\content\overlay.xul
c:\documents and settings\Melissa France\Local Settings\Application Data\{FAA20835-20FF-440F-8974-2AEFDE83151A}\install.rdf
c:\documents and settings\Melissa France\Local Settings\Application Data\qewehyha.reg
c:\documents and settings\Melissa France\Local Settings\Temporary Internet Files\esoqili.scr
c:\documents and settings\Melissa France\Local Settings\Temporary Internet Files\gabecurypu.dl
c:\documents and settings\Melissa France\Local Settings\Temporary Internet Files\jefemogik.dl
c:\documents and settings\Melissa France\Local Settings\Temporary Internet Files\okylydewi.bin
c:\documents and settings\Melissa France\Local Settings\Temporary Internet Files\racoly.lib
c:\documents and settings\Melissa France\Local Settings\Temporary Internet Files\rytefuv._sy
c:\program files\Common Files\muhezebyf.vbs
c:\windows\fune.exe
c:\windows\icyjema.reg
c:\windows\inewofole.dll
c:\windows\sujoru.exe
c:\windows\wesibehij._sy
c:\windows\yvybesedu.reg
F:\autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-09 01:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-09 01:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-08 21:52 . 2009-12-08 21:52 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-29 18:43 . 2009-11-29 18:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-29 18:29 . 2008-05-13 23:08 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-11-29 18:27 . 2009-11-29 19:05 -------- d-----w- C:\Netgear
2009-11-25 01:44 . 2009-11-25 01:44 -------- d-----w- c:\documents and settings\Melissa France\Application Data\Malwarebytes
2009-11-25 01:44 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 01:44 . 2009-11-25 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:44 . 2009-11-25 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 01:44 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:09 . 2009-11-14 16:09 -------- d-----w- c:\documents and settings\Melissa France\Application Data\Picaboo
2009-11-14 16:01 . 2009-11-14 16:09 -------- d-----w- c:\program files\Picaboo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 01:40 . 2008-12-19 14:20 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-12-09 01:27 . 2009-10-13 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-12-08 22:17 . 2005-06-22 02:17 -------- d-----w- c:\program files\Juno
2009-12-08 19:03 . 2008-08-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-07 11:30 . 2009-11-08 19:19 79488 ----a-w- c:\documents and settings\Melissa France\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-01 14:50 . 2009-09-20 15:05 120 ----a-w- c:\windows\Ldocomorabu.dat
2009-12-01 09:58 . 2009-09-20 15:05 0 ----a-w- c:\windows\Oroliwesonoce.bin
2009-11-20 11:04 . 2007-03-13 11:49 -------- d-----w- c:\program files\McAfee
2009-11-19 16:48 . 2009-11-30 21:46 872960 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 16:48 . 2009-11-30 21:46 43008 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 16:48 . 2009-11-30 21:46 340480 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 16:48 . 2009-11-30 21:46 346624 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-14 16:10 . 2005-06-21 22:43 131392 ----a-w- c:\documents and settings\Melissa France\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 23:54 . 2009-09-27 15:42 -------- d-----w- c:\program files\SmartMusic 2010
2009-10-25 15:50 . 2005-06-17 04:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-25 15:50 . 2005-12-30 18:53 -------- d-----w- c:\program files\iPod
2009-10-23 23:35 . 2009-09-12 01:10 74036 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 18:35 . 2009-10-13 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-13 16:16 . 2009-10-13 16:16 -------- d-----w- c:\program files\STOPzilla!
2009-10-13 16:16 . 2009-10-13 16:16 -------- d-----w- c:\program files\Common Files\iS3
2009-09-20 18:39 . 2009-09-20 18:39 18942 ----a-w- c:\windows\icebipoxoq.com
2009-09-20 18:39 . 2009-09-20 18:39 18475 ----a-w- c:\windows\system32\yranoxyn.com
2009-09-20 18:39 . 2009-09-20 18:39 18244 ----a-w- c:\program files\Common Files\uwuraner.lib
2009-09-20 18:39 . 2009-09-20 18:39 17807 ----a-w- c:\documents and settings\Melissa France\Local Settings\Application Data\isevix.sys
2009-09-20 18:39 . 2009-09-20 18:39 11422 ----a-w- c:\windows\system32\necijywas.com
2009-09-20 18:39 . 2009-09-20 18:39 10303 ----a-w- c:\windows\system32\evodywy.exe
2009-09-20 18:39 . 2009-09-20 18:39 12106 ----a-w- c:\windows\system32\nohodis.bin
2009-09-20 15:05 . 2009-09-20 15:05 17234 ----a-w- c:\program files\Common Files\ugysocuda.com
2009-09-20 15:05 . 2009-09-20 15:05 17010 ----a-w- c:\windows\system32\syqo.exe
2009-09-20 15:05 . 2009-09-20 15:05 16587 ----a-w- c:\windows\kozalis.sys
2009-09-20 15:05 . 2009-09-20 15:05 14261 ----a-w- c:\windows\seveziful.sys
2009-09-20 15:05 . 2009-09-20 15:05 11181 ----a-w- c:\windows\system32\idobugyciz.scr
2009-09-16 14:22 . 2007-03-13 11:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-03-13 11:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-03-13 11:51 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-03-13 11:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-03-13 11:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HostManager"="c:\program files\Common Files\AOL\1127748615\ee\AOLHostManager.exe" [2005-08-02 159832]
"SiteAdvisor"="c:\program files\SiteAdvisor\6028\SiteAdv.exe" [2007-02-09 36904]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

c:\documents and settings\Melissa France\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2009-7-10 606208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127748615\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Juno\\bin\\juno.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg;c:\windows\SYSTEM32\DRIVERS\SZKG.sys [5/12/2009 1:13 PM 61328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2007 1:57 PM 24652]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - component: c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\SiteAdvisor\6066\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
AddRemove-HijackThis - c:\documents and settings\Melissa France\Desktop\HijackThis.exe
AddRemove-Microsoft Interactive Training - c:\windows\IsUninst.exe -fc:\windows\orun32.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1115760850-618011297-1412726674-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:59,d3,ed,44,8a,46,3a,24,9a,a3,95,f7,c6,07,28,73,d4,a0,d9,26,37,4b,a8,
eb,9d,4e,c4,3c,98,b5,46,fb,5e,3f,ce,07,91,9f,1a,33,d9,34,0e,65,9a,51,e4,69,\
"??"=hex:66,d5,a2,5e,70,58,7b,f1,9c,65,e0,59,e0,69,9d,02

[HKEY_USERS\S-1-5-21-1115760850-618011297-1412726674-1006\Software\SecuROM\License information*]
"datasecu"=hex:d5,f3,3f,b4,d8,5c,bf,44,5f,c5,aa,6c,ff,9b,cd,d1,4e,63,33,c1,b5,
a5,86,4f,c2,2c,c1,57,e8,ea,3b,46,af,c4,93,4f,3e,90,42,c1,dd,9f,0f,bd,27,d5,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\WININET.dll
c:\progra~1\VIRTUA~1\SMARTB~1\SBHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\AOL\1127748615\ee\AOLServiceHost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
.
**************************************************************************
.
Completion time: 2009-12-08 20:50:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-09 01:50

Pre-Run: 15,580,409,856 bytes free
Post-Run: 15,811,002,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 371D898C2A62349EA7D25F9F0AAE6B77

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 09 December 2009 - 04:41 PM

Let's rerun Combofix again with a script to remove a few other malware files.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/277412/google-redirect-virus/

Collect::
c:\windows\Ldocomorabu.dat
c:\windows\Oroliwesonoce.bin
c:\windows\icebipoxoq.com
c:\windows\system32\yranoxyn.com
c:\program files\Common Files\uwuraner.lib
c:\windows\system32\necijywas.com
c:\windows\system32\evodywy.exe
c:\windows\system32\nohodis.bin
c:\program files\Common Files\ugysocuda.com
c:\windows\system32\syqo.exe
c:\windows\kozalis.sys
c:\windows\seveziful.sys
c:\windows\system32\idobugyciz.scr


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 sprtn262

sprtn262
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:12:43 AM

Posted 09 December 2009 - 09:04 PM

The scan finally finished! See the results below.

Note - it asked me if I wanted to update the version of Combo fix -- I did update the application.

Sprtn262
_________
Combo Fix
_______________-
ComboFix 09-12-09.04 - Melissa France 12/09/2009 17:06:14.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1826 [GMT -5:00]
Running from: c:\documents and settings\Melissa France\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Melissa France\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


file zipped: c:\program files\Common Files\ugysocuda.com
file zipped: c:\program files\Common Files\uwuraner.lib
file zipped: c:\windows\icebipoxoq.com
file zipped: c:\windows\kozalis.sys
file zipped: c:\windows\Ldocomorabu.dat
file zipped: c:\windows\Oroliwesonoce.bin
file zipped: c:\windows\seveziful.sys
file zipped: c:\windows\system32\evodywy.exe
file zipped: c:\windows\system32\idobugyciz.scr
file zipped: c:\windows\system32\necijywas.com
file zipped: c:\windows\system32\nohodis.bin
file zipped: c:\windows\system32\syqo.exe
file zipped: c:\windows\system32\yranoxyn.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\ugysocuda.com
c:\program files\Common Files\uwuraner.lib
c:\windows\icebipoxoq.com
c:\windows\kozalis.sys
c:\windows\Ldocomorabu.dat
c:\windows\Oroliwesonoce.bin
c:\windows\seveziful.sys
c:\windows\system32\evodywy.exe
c:\windows\system32\idobugyciz.scr
c:\windows\system32\necijywas.com
c:\windows\system32\nohodis.bin
c:\windows\system32\syqo.exe
c:\windows\system32\yranoxyn.com
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-09 01:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-09 01:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-08 21:52 . 2009-12-08 21:52 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-30 21:46 . 2009-11-19 16:48 872960 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-30 21:46 . 2009-11-19 16:48 43008 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-30 21:46 . 2009-11-19 16:48 340480 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-30 21:46 . 2009-11-19 16:48 346624 ----a-w- c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-29 18:43 . 2009-11-29 18:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-29 18:29 . 2008-05-13 23:08 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-11-29 18:27 . 2009-11-29 19:05 -------- d-----w- C:\Netgear
2009-11-25 01:44 . 2009-11-25 01:44 -------- d-----w- c:\documents and settings\Melissa France\Application Data\Malwarebytes
2009-11-25 01:44 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 01:44 . 2009-11-25 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:44 . 2009-11-25 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 01:44 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 16:09 . 2009-11-14 16:09 -------- d-----w- c:\documents and settings\Melissa France\Application Data\Picaboo
2009-11-14 16:01 . 2009-11-14 16:09 -------- d-----w- c:\program files\Picaboo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 21:56 . 2009-10-13 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-12-09 20:04 . 2008-08-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-09 11:17 . 2005-06-22 02:17 -------- d-----w- c:\program files\Juno
2009-12-09 11:03 . 2009-12-09 11:03 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-12-09 11:03 . 2009-12-09 11:02 1264 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-09 10:59 . 2008-12-19 14:20 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-12-07 11:30 . 2009-11-08 19:19 79488 ----a-w- c:\documents and settings\Melissa France\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-20 11:04 . 2007-03-13 11:49 -------- d-----w- c:\program files\McAfee
2009-11-14 16:10 . 2005-06-21 22:43 131392 ----a-w- c:\documents and settings\Melissa France\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 23:54 . 2009-09-27 15:42 -------- d-----w- c:\program files\SmartMusic 2010
2009-10-25 15:50 . 2005-06-17 04:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-25 15:50 . 2005-12-30 18:53 -------- d-----w- c:\program files\iPod
2009-10-23 23:35 . 2009-09-12 01:10 74036 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 18:35 . 2009-10-13 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-13 16:16 . 2009-10-13 16:16 -------- d-----w- c:\program files\STOPzilla!
2009-10-13 16:16 . 2009-10-13 16:16 -------- d-----w- c:\program files\Common Files\iS3
2009-09-20 18:39 . 2009-09-20 18:39 17807 ----a-w- c:\documents and settings\Melissa France\Local Settings\Application Data\isevix.sys
2009-09-16 14:22 . 2007-03-13 11:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-03-13 11:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-03-13 11:51 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-03-13 11:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-03-13 11:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" [X]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe -start" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HostManager"="c:\program files\Common Files\AOL\1127748615\ee\AOLHostManager.exe" [2005-08-02 159832]
"SiteAdvisor"="c:\program files\SiteAdvisor\6028\SiteAdv.exe" [2007-02-09 36904]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

c:\documents and settings\Melissa France\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2009-7-10 606208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127748615\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Juno\\bin\\juno.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg;c:\windows\SYSTEM32\DRIVERS\SZKG.sys [5/12/2009 1:13 PM 61328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2007 1:57 PM 24652]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - component: c:\documents and settings\Melissa France\Application Data\Mozilla\Firefox\Profiles\4pt4h7lg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\SiteAdvisor\6066\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 17:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1115760850-618011297-1412726674-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e5,93,d5,db,8f,f3,ae,4e,24,7d,15,69,7b,46,04,1d,20,55,bb,5c,a1,22,67,
dc,51,32,86,52,15,17,3a,1a,92,db,8b,b1,70,08,7b,67,1c,0b,89,d2,f2,fb,cd,c0,\
"??"=hex:c4,04,98,d5,63,5c,35,4b,56,bf,96,c6,48,fe,da,3c

[HKEY_USERS\S-1-5-21-1115760850-618011297-1412726674-1006\Software\SecuROM\License information*]
"datasecu"=hex:d5,f3,3f,b4,d8,5c,bf,44,5f,c5,aa,6c,ff,9b,cd,d1,4e,63,33,c1,b5,
a5,86,4f,c2,2c,c1,57,e8,ea,3b,46,af,c4,93,4f,3e,90,42,c1,dd,9f,0f,bd,27,d5,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
Completion time: 2009-12-09 17:17:28
ComboFix-quarantined-files.txt 2009-12-09 22:17
ComboFix2.txt 2009-12-09 01:51

Pre-Run: 15,687,815,168 bytes free
Post-Run: 15,722,692,608 bytes free

- - End Of File - - 5642CDA577361544384DD4C6ED560C79
Upload was successful

____________

MBAB
_________

Malwarebytes' Anti-Malware 1.42
Database version: 3334
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2009 8:50:42 PM
mbam-log-2009-12-09 (20-50-42).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 388461
Time elapsed: 3 hour(s), 14 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\Common Files\ugysocuda.com.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\uwuraner.lib.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\icebipoxoq.com.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\kozalis.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\seveziful.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\evodywy.exe.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\idobugyciz.scr.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\necijywas.com.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nohodis.bin.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\syqo.exe.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yranoxyn.com.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189447.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189532.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189614.com (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189615.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189616.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189617.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189618.scr (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189619.com (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189620.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189621.com (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1524\A0189702.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 10 December 2009 - 02:11 PM

That's looking good. The Qoobox folder is Combofix's quarantine and the system restore folder is about to be deleted when we do these final instructions. Your wife's PC is now clean.

Good stuff! :(

Let's do some clearing up

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Comfix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
That's it again sprtn262 :( , happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 15 December 2009 - 03:47 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·