Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need to Remove Likely Trojan Infection


  • This topic is locked This topic is locked
29 replies to this topic

#1 al0872

al0872

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 03 December 2011 - 05:50 PM

Hello,

I am attempting to help remove what appears to be a Trojan infection on my father's PC. This PC is an HP Pavilion a1330n system running Microsoft Windows XP Media Center Edition Version 2002 SP3.

Problems began occurring on this system last evening (12/2/2011). The first indication of the problem was the appearance of windows for the "XP Security Center 2012" rogue security product. Shortly thereafter the system's Internet Explorer 8 browser began re-directing to advertising sites whenever links returned in Google searches were clicked.

My father ran a scan using WebRoot v7 to try to eliminate the issue. This scan took 7 hours to complete (much longer than the usual ~1 hour) and the scan reported the presence of a Rogue Spyware infection.

Removing it did not appear to cure the problem. When he resumed using the computer today he continued to experience the aforementioned redirection behavior - at which time he contacted me to try to help sort it out.

I restarted the system and noticed the following strange behavior:

1) Internet Explorer 8 launched itself (i.e. no user clicked a program shortcut to launch it) immediately after the system started up and directed itself to an advertising site

2) Running the Windows Task Manager showed the presence of several "iexplore.exe" processes as well as several processes with the name "DQ185~23.com" - which certainly seemed to resemble malware.

3) When the "Internet Explorer" link on the Desktop is clicked for the first time the Windows "Open With..." window appears asking the user to select an application with which to open the item. More details on this particular symptom can be found in the attached "IEShortcutOnDesktop.doc" file that I have attached.

I have a little experience curing Malware problems, so I went ahead and downloaded both "Rkill" and Kaspersky TDSSKiller. Running "RKill.exe" did not terminate any malware processes and a TDSSKiller scan did not reveal any infected items.

This was not the behavior I expected and the issues listed above continue to plague the system, so I am posting to this forum for assistance.

I have run through the posting pre-requisite steps described here

Unfortunately, I experienced a problem when trying to perform Step 8 and could not produce a GMER log file. I made two attempts to run the GMER scan but was unsuccessful in completing it both times. The first time the system rebooted itself in the middle of the scan and the second time it froze. In the latter case it appeared to halt on an item at the path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\KVQKPOKE\data[5].jpg.

I am including the output of the "DDS.txt" and "Attach.txt" files generated by the DDS script below. Before running the "DDS" script, I uninstalled the WebRoot tool to prevent any interference. This can be re-installed, as needed.

Many thanks for your help. Please note that it is likely that I will need 1-2 days to respond to any replies to this issue, as I need to travel to my father's home to work on the troubled PC.

Here is the "DDS.txt" log contents

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 15:41:17 on 2011-12-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.451 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
L:\Anti-Virus\tdsskiller\TDSSKiller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [AlwaysReady Power Message APP] "ARPWRMSG.EXE"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPwuSchd2.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [HPHUPD08] "c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280001230774
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{450E7E04-7189-4E13-B272-7310FF480162} : DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{D1981F4D-17A3-4E2A-9253-27159CB8DDC0} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-7-24 668912]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
=============== Created Last 30 ================
.
2011-12-03 19:54:34 116224 ----a-w- c:\windows\system32\0tj1G2dHm.com
2011-12-03 19:33:53 -------- d-----w- c:\program files\common files\PC Tools
2011-12-03 19:33:51 -------- d-----w- c:\program files\PC Tools Security
2011-12-03 19:32:29 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-12-03 19:30:55 512992 ----a-w- C:\PCTools_Safe_Install.exe
2011-12-03 19:30:24 106496 ----a-w- C:\nuke-M.exe
2011-12-03 18:53:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-03 18:49:20 1008114 ----a-w- C:\rkill.com
2011-12-03 17:50:58 388096 ----a-r- c:\documents and settings\hp_administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-03 17:50:56 -------- d-----w- c:\program files\Trend Micro
2011-12-03 09:50:57 -------- d-----w- c:\windows\system32\LogFiles
2011-12-03 03:55:39 116224 ----a-w- c:\documents and settings\all users\application data\5I83Q3a6.exe
2011-12-03 00:28:33 116224 ----a-w- c:\windows\system32\0tj1G2dHm.com_
.
==================== Find3M ====================
.
2011-12-03 18:22:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-14 12:47:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:41:32.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 AM

Posted 08 December 2011 - 05:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430571 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 al0872

al0872
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 09 December 2011 - 07:22 PM

Yes, I still need help with this problem.

Here is a description of the symptoms.


1) Several moments after launching Internext Explorer 8, several copies of a process with a mysterious and unknown name (e.g. "5183Q3a6.exe") will appear in the Task Manager. The actual name of this process appears to be random and changes each time the system is restarted. The Task Manager also frequently displays more Internet Explorer processes (i.e. processes named "iexplore.exe") than there are active Internet Explorer windows on the desktop.

2) After the appearance of the suspicious processes, the Internet Explorer 8 browser periodically redirects itself to random advertising sites. Occasionally, another Internet Explorer 8 window will be launched and this, too, will be directed to an advertising site.

3) When the "Internet Explorer" link on the Desktop is clicked for the first time after system startup, the Windows "Open With..." window appears asking the user to select an application with which to open the item. More details on this particular symptom can be found in the attached "IEShortcutOnDesktop.doc" file that I have attached.

Here is the background on how these symptoms emerged and what we have done to try to remove them:

Problems began occurring on this system on Friday, 12/2/2011. The first indication of the problem was the appearance of windows for the "XP Security Center 2012" rogue security product. Shortly thereafter the system's Internet Explorer 8 browser began re-directing to advertising sites whenever links returned in Google searches were clicked.

My father ran a scan using WebRoot v7 to try to eliminate the issue. This scan took 7 hours to complete (much longer than the usual ~1 hour) and the scan reported the presence of a Rogue Spyware infection.

Removing it did not appear to cure the problem. When he resumed using the computer today he continued to experience the aforementioned redirection behavior - at which time he contacted me to try to help sort it out.

I have a little experience curing Malware problems, so I went ahead and downloaded both "Rkill" and Kaspersky TDSSKiller. Running "RKill.exe" did not terminate any malware processes and a TDSSKiller scan did not reveal any infected items.

This was not the behavior I expected and the issues listed above continue to plague the system, so I am posting to this forum for assistance.

I am including the output of the "DDS.txt" and "Attach.txt" files generated by the DDS script below. Before running the "DDS" script, I uninstalled the WebRoot tool to prevent any interference. This can be re-installed, as needed.

Unfortunately, I experienced a problem when trying to perform Step 8 and could not produce a GMER log file. I made two attempts to generate this file, but the GNER application simply shut down both times before the scan completed. In both cases it was in the middle of scanning the C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\KVQKPOKE folder when the application simply disappeared.

Many thanks for your help. Please note that it is likely that I will need 1-2 days to respond to any replies to this issue, as I need to travel to my father's home to work on the troubled PC.

Here is the "DDS.txt" log contents

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 18:56:53 on 2011-12-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.604 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Verizon\VSP\ServicepointService.exe
svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [AlwaysReady Power Message APP] "ARPWRMSG.EXE"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPwuSchd2.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [HPHUPD08] "c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280001230774
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{450E7E04-7189-4E13-B272-7310FF480162} : DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{D1981F4D-17A3-4E2A-9253-27159CB8DDC0} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-7-24 668912]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
=============== Created Last 30 ================
.
2011-12-09 01:58:08 116224 ----a-w- c:\windows\system32\0tj1G2dHm.com
2011-12-03 19:33:53 -------- d-----w- c:\program files\common files\PC Tools
2011-12-03 19:33:51 -------- d-----w- c:\program files\PC Tools Security
2011-12-03 19:32:29 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-12-03 19:30:55 512992 ----a-w- C:\PCTools_Safe_Install.exe
2011-12-03 19:30:24 106496 ----a-w- C:\nuke-M.exe
2011-12-03 18:49:20 1008114 ----a-w- C:\rkill.com
2011-12-03 17:50:58 388096 ----a-r- c:\documents and settings\hp_administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-03 17:50:56 -------- d-----w- c:\program files\Trend Micro
2011-12-03 09:50:57 -------- d-----w- c:\windows\system32\LogFiles
2011-12-03 03:55:39 116224 ----a-w- c:\documents and settings\all users\application data\5I83Q3a6.exe
2011-12-03 00:28:33 116224 ----a-w- c:\windows\system32\0tj1G2dHm.com_
.
==================== Find3M ====================
.
2011-12-03 18:22:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-14 12:47:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 18:58:35.87 ===============

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 14 December 2011 - 07:01 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 17 December 2011 - 02:52 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 al0872

al0872
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 17 December 2011 - 03:58 PM

Hello Gringo,

Thank you for your reply.

I ran ComboFix as instructed - making certain to follow all the steps as described.

ComboFix ran to completion and produced a log file.

Unfortunately, executing ComboFix resulted in a loss of the ability for the PC system to access the internet. Having researched the problem, it appears that running ComboFix resulted in Winsock2 corruption (as per Microsoft's kb article here).

At this point I think it is better for me to simply re-install the operating system and restore the backed up data, rather than attempt to remove the infection. :(

However, as I am quite certain that ComboFix was incompatible with this PC system, I would be happy to send you the log file at a later date if you wish to analyze it in the interest of preventing similar problems in the future.

Let me know if you believe the ComboFix log file would be of use to your group. Otherwise, I think that there is no need to keep this thread open.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 17 December 2011 - 08:31 PM

Hello

All is not lost yet - this is happening because of the virus - I want you to rerun combofix again and see if it restores the internet and if not send me the report from this scan



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 al0872

al0872
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 19 December 2011 - 10:10 AM

Thank you for your reply, Gringo.

Just to make sure that we both understand...

You believe that the internet connection ceased to work - a failure which occurred only after ComboFix was run - as a result of the virus?

If you can confirm that - then I will run ComboFix again.

Thank you.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 19 December 2011 - 02:05 PM

It is possible and has happened on more than one computer that rerunning combofix after removing this infection will restore the internet

if it does not restore then run the Farbar service scanner



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 al0872

al0872
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 21 December 2011 - 10:54 AM

Thank you, Gringo.

I will run the ComboFix application on the affected system again, as you have asked.

However, due to holiday travel I will not be able to access this system until approximately one week from now. Can you ensure that this thread is not closed during that interval?

Thank you.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 21 December 2011 - 12:55 PM

Hello


if it does get closed just give me a PM and I will be more than happy to open it for you


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 24 December 2011 - 01:41 PM

Happy Holidays !!!

I have not heard from you in a couple of days , I know it is a busy time of year so I will give you some more time before it gets closed

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 28 December 2011 - 01:22 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 al0872

al0872
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 30 December 2011 - 04:16 PM

Hello Gringo,

Yes, I still require assistance and will be able to access the troubled system later today.

I have not performed any actions on the system since my previous posting. Fortunately, the system is now once again able to reach the internet.

What steps would you like me to perform next on the system?

Thank you.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:10 AM

Posted 30 December 2011 - 05:51 PM

Start with post 4


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users