Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.JD infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 KathysKomputer

KathysKomputer

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 26 December 2009 - 09:23 PM

Hi! Thanks in advance for your help. I have a regenerating Vundo.JD virus. My AGV Virusware tells me it's removing all malware, however, the next time I log on, I have more viruses. Another name in Davevuli.exe. Now I'm getting Error messages when I log on. IE: logon.exe. Tried to uncheck that in the start up tab in msconfig.exe with no luck. Can you help me get rid of this annnoying bug once and for all?? Enclosed are all my logs! TU!



DDS (Ver_09-12-01.01) - NTFSx86
Run by Jim morosan at 14:22:54.51 on Sat 12/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.67 [GMT -8:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim morosan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Shell=Explorer.exe logon.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [<NO NAME>]
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {995BDF5C-F7FA-4ECB-A8EB-10ED40EE3F62} = 193.104.110.38,4.2.2.1,192.168.1.1
TCP: {B92F517E-50DF-4F56-A383-B20BFD445AE4} = 193.104.110.38,4.2.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: wosahemi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {16106de7-ef8a-4f8d-9b9d-71ea3d43717b} - No File
LSA: Notification Packages = scecli sg3nCD.dll jarekapu.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-12-14 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-6-23 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-23 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-23 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-23 360584]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-12-14 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-12-14 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-12-14 25736]
S3 AIM_USBdriver;AIM USB Driver (v.10.01) VID=11CC;c:\windows\system32\drivers\AIM_USBdrv10_01.sys [2007-5-26 24704]

=============== Created Last 30 ================

2009-12-24 16:36:49 0 ----a-w- C:\haypsixd.exe
2009-12-24 01:01:46 0 d-----w- c:\program files\Vongo
2009-12-24 00:10:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-20 03:58:04 0 d-----w- c:\docume~1\jimmor~1\applic~1\MSNInstaller
2009-12-15 12:49:32 0 ----a-w- C:\waees.exe
2009-12-15 12:49:27 0 ----a-w- C:\dens.exe
2009-12-15 04:38:23 0 d--h--w- C:\$AVG
2009-12-15 04:37:44 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-15 04:36:54 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-15 04:35:22 0 d-----w- c:\windows\SxsCaPendDel
2009-12-12 07:48:46 0 ----a-w- c:\windows\EEventManager.INI
2009-12-12 07:08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-12 07:08:15 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-09 23:17:24 77824 ----a-w- c:\windows\system32\EBAPI.dll
2009-12-09 23:17:24 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2009-12-09 23:17:24 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2009-12-09 23:17:24 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2009-12-09 23:17:24 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2009-12-09 23:13:29 474892 ----a-w- c:\windows\system32\ensppmon.dll
2009-12-09 23:13:29 457611 ----a-w- c:\windows\system32\ensppui.dll
2009-12-09 23:13:29 457611 ----a-w- c:\windows\system32\enppui.dll
2009-12-09 23:13:29 249344 ----a-w- c:\windows\system32\enspres.dll
2009-12-09 23:13:29 249344 ----a-w- c:\windows\system32\enpres.dll
2009-12-09 23:13:28 474892 ----a-w- c:\windows\system32\enppmon.dll
2009-12-09 23:13:28 0 d-----w- c:\program files\EpsonNet
2009-12-09 23:12:56 0 d-----w- c:\program files\common files\EPSON
2009-12-09 22:58:07 0 d-----w- c:\program files\Epson Software
2009-12-09 22:57:18 0 d-----w- c:\docume~1\alluse~1\applic~1\EPSON
2009-12-09 22:56:47 9216 ----a-w- c:\windows\system32\escdev.dll
2009-12-09 22:56:47 342016 ----a-w- c:\windows\system32\eswiaud.dll
2009-12-09 22:56:37 0 d-----w- c:\program files\epson
2009-12-09 22:55:57 100 ----a-w- c:\windows\EPWF610.ini
2009-12-04 14:48:09 0 d-sh--w- C:\found.000

==================== Find3M ====================

2009-12-19 23:11:23 874240 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-15 04:38:12 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-15 04:38:12 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-15 04:37:44 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-15 04:37:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 20:49:17 0 ----a-w- c:\docume~1\jimmor~1\applic~1\wklnhst.dat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-26 21:30:21 53760 --sha-w- c:\windows\system32\jarekapu.dll
2009-09-24 16:43:05 45568 --sha-w- c:\windows\system32\kotafeka.dll
2009-09-26 21:30:21 53760 --sha-w- c:\windows\system32\livemuna.dll
2009-09-24 16:43:05 39424 --sha-w- c:\windows\system32\mohoyodi.dll
2009-09-26 21:28:37 61952 --sha-w- c:\windows\system32\moviwado.dll
2009-09-26 21:28:46 39424 --sha-w- c:\windows\system32\tifozoho.dll
2009-09-26 21:28:46 53760 --sha-w- c:\windows\system32\togewali.dll
2009-09-26 21:28:51 45568 --sha-w- c:\windows\system32\vetimova.dll
2009-09-26 21:30:21 53760 --sha-w- c:\windows\system32\wosahemi.dll

============= FINISH: 14:32:31.64 ===============

Attached Files


Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:47 AM

Posted 29 December 2009 - 09:34 PM

Hello KathysKomputer :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.













Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 30 December 2009 - 11:04 AM

Thank you Ill let you know how it goes.

Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#4 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 30 December 2009 - 07:23 PM

Hi. Okay I've ran the scan and here is the Combo fix log.

Attached Files

  • Attached File  log.txt   16.94KB   17 downloads

Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:47 AM

Posted 30 December 2009 - 10:40 PM

Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\waees.exe
C:\dens.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.








Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 31 December 2009 - 12:05 AM

Thank you, I am performing scans now and will upload shortly..

Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#7 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 31 December 2009 - 01:26 AM

:( Okay here are the results:

Thanks Again!
Kathryn

Attached Files


Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:47 AM

Posted 31 December 2009 - 12:33 PM

you're welcome.

Run the following and post the log, then let me know how the computer is running:


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 31 December 2009 - 05:52 PM

Scan results!!

Attached Files


Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:47 AM

Posted 31 December 2009 - 08:02 PM

Nothing wrong there. those entries will be gone when we uninstall ComboFix.

You need to go ahead and update your Adobe, it's a couple of versions behind. Instructions below. Also although your Java is updated there is an older version still showing up in Add/Remove and it needs to be deleted as it can be a source of Malware exploitation.

J2SE Runtime Environment 5.0 Update 6



Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.




When completed please let me know how your computer is running.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 01 January 2010 - 05:14 PM

My computer is running really well! It's allot faster and the one annoying pop up is gone!! Yay! I removed and reinstall Adobe and deleted the old Java version.
I did run a scan with AVG and it came back with:
Trojan Horse Generic 16.QDC
C:/System Volume information { lots of number and letter }.dll

Should I quarantine??

Am I suppose to do something with this? - J2SE Runtime Environment 5.0 Update 6 I didn't understand this...

Kathyrn

Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:47 AM

Posted 03 January 2010 - 10:44 AM

Sorry, somehow I missed your reply.

Don't worry about the AVG entry, any of those will be taken care of when we uninstall ComboFix. If you have already quarantined it that's fine too.

On the old Java entry it was showing up in the uninstall list. If you can I need you to go to Add/Install and delete take that one out. Sometimes they will still be showing after you do an uninstall if that is the case then it will be OK.

Let me look back over your logs and we may be finished. I'll let you know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 03 January 2010 - 01:33 PM

Okay!! Thanks!

Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:47 AM

Posted 03 January 2010 - 02:18 PM

Everything looks OK from what I see. :( We should be able to wrap up.


Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.



You can also go ahead and delete GMER and DDS.





Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts fileNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :(


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 KathysKomputer

KathysKomputer
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Baldwin Park CA
  • Local time:11:47 PM

Posted 03 January 2010 - 08:00 PM

:( I can't Thank you enough!!! This website and all the technicians volunteering here are amazing. You were thorogh and it was easy!!! I would definaltly recommend this page to all my friends!

I followed your instructions for all the security updates. I am currently running the Secunia scan and have downloaded the spyware program you recomended.


Thanks to TheWall!!!

Very Satisfied,

Kathryn Rau


:(

Kathryn Rau   :flowers: 

 

KathrynRauPhotography@hotmail.com

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users