Lesky Posted February 1, 2009 ID:52635 Share Posted February 1, 2009 Greetings. Thanks for this forum. I have done everything according to your "guidelines". From these logs, is my system still infected? RespectfullyLeskyMalwarebytes log:Malwarebytes' Anti-Malware 1.33Database version: 1713Windows 5.1.2600 Service Pack 22009-02-01 22:11:49mbam-log-2009-02-01 (22-11-49).txtScan type: Full Scan (C:\|D:\|G:\|H:\|)Objects scanned: 166317Time elapsed: 1 hour(s), 3 minute(s), 20 second(s)Memory Processes Infected: 1Memory Modules Infected: 1Registry Keys Infected: 11Registry Values Infected: 6Registry Data Items Infected: 0Folders Infected: 6Files Infected: 23Memory Processes Infected:G:\WINDOWS\system32\YcAoM3au.exe (Trojan.Obvod) -> Unloaded process successfully.Memory Modules Infected:G:\WINDOWS\system32\hgdfhsiueme.dll (Trojan.BHO) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.MSAntispyware) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.MsAntispyware) -> Quarantined and deleted successfully.Files Infected:G:\WINDOWS\system32\hgdfhsiueme.dll (Trojan.Zlob.H) -> Delete on reboot.G:\WINDOWS\system32\YcAoM3au.exe (Trojan.Obvod) -> Delete on reboot.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MSAntispyware) -> Quarantined and deleted successfully.G:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP247\A0028079.dll (Trojan.Vundo) -> Quarantined and deleted successfully.G:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.G:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.G:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.G:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.G:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201121702156.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201122607343.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201163344734.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201194716828.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.G:\Documents and Settings\Lesky\Lokala inst Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53001 Share Posted February 3, 2009 Please RESTART the computer and run again.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
Lesky Posted February 3, 2009 Author ID:53069 Share Posted February 3, 2009 Malwarebytes Quick scan log:Malwarebytes' Anti-Malware 1.33Database version: 1718Windows 5.1.2600 Service Pack 22009-02-03 12:48:00mbam-log-2009-02-03 (12-48-00).txtScan type: Quick ScanObjects scanned: 52311Time elapsed: 2 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:G:\Documents and Settings\Lesky\Lokala inst Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:53074 Share Posted February 3, 2009 Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
Lesky Posted February 3, 2009 Author ID:53096 Share Posted February 3, 2009 Combofix log:ComboFix 09-02-02.04 - Lesky 2009-02-03 15:09:36.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.2047.1579 [GMT 1:00]K Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53243 Share Posted February 4, 2009 Please look in this folder: g:\windows\Tasks\ and delete any .JOB files that are in there.From Control Panel, Scheduled Tasks you can also look and remove them.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
Lesky Posted February 4, 2009 Author ID:53363 Share Posted February 4, 2009 There are 72 files in g:\windows\TasksThey are all names AT9, AT73 etc. I need to right click on them to see that they have the extension .jobI just need to double check that I should delete all of these .job files? That would mean emptying the Task Folder.I do not mean to be a pain in the ass, just wanted to be sure of this Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53408 Share Posted February 4, 2009 Yes, please delete ALL of them.Thanks. Link to post Share on other sites More sharing options...
Lesky Posted February 4, 2009 Author ID:53429 Share Posted February 4, 2009 The log attached as requested!Thank you.GMER.LOG.zipGMER.LOG.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53526 Share Posted February 4, 2009 Can you please uninstall DAEMON Tools Lite for now. It is not Malware but is making it more difficult to track down the culprit of your infection due to how it manipulates and hides similar to a Rootkit.Then after you've removed it (including the SPDT file) delete your current copy of Combofix and download a NEW copy and run it and post back that new log.Thanks. Link to post Share on other sites More sharing options...
Lesky Posted February 4, 2009 Author ID:53558 Share Posted February 4, 2009 I appreciate you taking the time to help me.I uninstalled Daemon Tools as requested and inactivated the SPDT file.Here is the new Combofix log:ComboFix 09-02-04.01 - Lesky 2009-02-05 0:28:18.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.2047.1685 [GMT 1:00]K Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53612 Share Posted February 5, 2009 Well I know the OS is not English, but it also does not look like a full Combofix log for some reason.STEP 1What is this? g:\program\Trend Micro Did you create the g:\program folder and put stuff in it?STEP 2Please delete or move these filesg:\windows\system32\YcAoM3au.exe_g:\windows\wininit.iniSTEP 3Please disable from running these programsUseNeXTuTorrentSTEP 4Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAWhen we're done you can go back and install the latest version but for now please do not install any.Then run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaSTEP 5Your version of Adobe Acrobat needs to be removed or updated.Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and AcrobatSTEP 6After the above please run this Anti-Virus scannerDownload to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.Then RESTART the computer and run the FULL GMER scan again and upload that log.Make sure ALL programs are shut down and do not use it while it scans.STEP 7Also please let me know how the computer is running now and if there are still any signs of an infection. Link to post Share on other sites More sharing options...
Lesky Posted February 5, 2009 Author ID:53697 Share Posted February 5, 2009 1.The only existing files in the Trend Micro Folder is G:\Program\Trend Micro\HijackThisWhen I installed the program the folder was named Trend Micro per automatic. 2. g:\windows\system32\YcAoM3au.exe_g:\windows\wininit.iniIs now both DELETED!3.Is UseNeXT causing problems? I had uninstalled with Revo uninstaller yesterday. Its still there some degree, disturbing your search for the infection root? If so, do you have any advise on how to remove the remaining UseNeXT stuff? As for Utorrent, should I just refrain from starting the program until we are done here? 4.Done.5.Done.Logs:JavaRa 1.13 Removal Log.JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Thu Feb 05 09:57:35 2009Found and removed: Software\JavaSoft\Java2D\1.5.0_05Found and removed: SOFTWARE\Classes\JavaPlugin.150_05------------------------------------Finished reporting.Dr.Web CureIt Logdata002\32788R22FWJFW\psexec.cfexe;G:\Documents and Settings\Lesky\Skrivbord\ComboFix.exe\data002;Program.PsExec.171;;data002;G:\Documents and Settings\Lesky\Skrivbord\ComboFix.exe;Archive contains infected objects;;ComboFix.exe;G:\Documents and Settings\Lesky\Skrivbord;Archive contains infected objects;Moved.;A0028570.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP250;Trojan.StartPage.1505;Deleted.;A0028645.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP251;Trojan.StartPage.1505;Deleted.;A0028780.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP253;Trojan.StartPage.1505;Deleted.;A0028884.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP254;Trojan.StartPage.1505;Deleted.;A0029046.EXE;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP255;Program.PsExec.170;Incurable.Moved.;A0029164.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP255;Trojan.StartPage.1505;Deleted.;A0030208.dll;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP261;Trojan.DownLoader.origin;Incurable.Moved.;A0030515.EXE;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP265;Program.PsExec.170;Incurable.Moved.;Hijackthis logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:43:28, on 2009-02-05Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:G:\WINDOWS\System32\smss.exeG:\WINDOWS\system32\winlogon.exeG:\WINDOWS\system32\services.exeG:\WINDOWS\system32\lsass.exeG:\WINDOWS\system32\svchost.exeG:\WINDOWS\System32\svchost.exeG:\WINDOWS\system32\spoolsv.exeG:\WINDOWS\system32\nvsvc32.exeG:\WINDOWS\system32\svchost.exeG:\WINDOWS\Explorer.EXEG:\Program\Microsoft Office\Office12\GrooveMonitor.exeG:\WINDOWS\system32\RUNDLL32.EXEG:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exeG:\Program\EIZO\ScreenManager Pro for LCD\Lcdctrl.exeG:\Program\HP\HP Software Update\HPWuSchd2.exeG:\Program\ekort\ekort.exeG:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exeG:\WINDOWS\system32\OBroker.exeG:\WINDOWS\system32\ctfmon.exeG:\Program\MSN Messenger\MsnMsgr.ExeG:\Program\ICQ\ICQ.exeG:\WINDOWS\system32\wuauclt.exeG:\Program\Mozilla Firefox\firefox.exeG:\WINDOWS\system32\NOTEPAD.EXEG:\Program\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L Link to post Share on other sites More sharing options...
Lesky Posted February 5, 2009 Author ID:53702 Share Posted February 5, 2009 Gmerlog.gmerlog.zipgmerlog.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5, 2009 Root Admin ID:53706 Share Posted February 5, 2009 Please clear the System Restore area now.Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Then see if you can run another round of MBAM scans.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please.How is the computer running now?Are there still any signs of an infection?Thanks. Link to post Share on other sites More sharing options...
Lesky Posted February 5, 2009 Author ID:53785 Share Posted February 5, 2009 Malwarebytes log:Malwarebytes' Anti-Malware 1.33Database version: 1731Windows 5.1.2600 Service Pack 22009-02-05 17:28:49mbam-log-2009-02-05 (17-28-49).txtScan type: Quick ScanObjects scanned: 52216Time elapsed: 1 minute(s), 41 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:27:20, on 2009-02-05Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:G:\WINDOWS\System32\smss.exeG:\WINDOWS\system32\winlogon.exeG:\WINDOWS\system32\services.exeG:\WINDOWS\system32\lsass.exeG:\WINDOWS\system32\svchost.exeG:\WINDOWS\System32\svchost.exeG:\WINDOWS\system32\spoolsv.exeG:\WINDOWS\system32\userinit.exeG:\WINDOWS\Explorer.EXEG:\Program\Microsoft Office\Office12\GrooveMonitor.exeG:\WINDOWS\system32\RUNDLL32.EXEG:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exeG:\Program\EIZO\ScreenManager Pro for LCD\Lcdctrl.exeG:\Program\HP\HP Software Update\HPWuSchd2.exeG:\Program\ekort\ekort.exeG:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exeG:\WINDOWS\system32\ctfmon.exeG:\Program\ICQ\ICQ.exeG:\Program\MSN Messenger\MsnMsgr.ExeG:\WINDOWS\system32\OBroker.exeG:\WINDOWS\system32\nvsvc32.exeG:\WINDOWS\system32\svchost.exeG:\Program\Trend Micro\HijackThis\HijackThis.exeG:\Program\Mozilla Firefox\firefox.exeG:\WINDOWS\system32\imapi.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 6, 2009 Root Admin ID:53901 Share Posted February 6, 2009 Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.STEP 1Uninstall ComboFix.exeClick START then RUNNow type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.When shown the disclaimer, Select "2"Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exeSTEP 2Uninstall GMERClick on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.STEP 3Uninstall other toolsPlease Download OTMoveIt3 by Old Timer and save it to your Desktop.Double-click OTMoveIt3.exe to run it.While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.It should ask if you want to clean up, select Yes and allow the system to clean up these items.NOW please reboot your computer to finish the cleanup processDownload and Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerI highly suggest you upgrade IE6 to IE7 it's more secure, and update SP2 to SP3 for XP.Great, all looks good now.I'll close your post soon so that other don't post into it and leave you with this information and suggestions.So how did I get infected in the first place?At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Install SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org Link to post Share on other sites More sharing options...
Lesky Posted February 6, 2009 Author ID:54055 Share Posted February 6, 2009 Thanks alot for all the help! 2 last questions.1. The infected files from the DoctorWeb scanner is still left in som quarantine folder. What should I do with them? 2. The "payment" version of Malwarebytes, what exactly does it have for functions? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54240 Share Posted February 7, 2009 Yes you can remove the quarantine files from Dr Web and remove Dr Web if you like..The paid version of MBAM offers live blocking and automated updates and scheduled scanning. Basically it runs all the time and as you use the computer it is looking for known exploits and blocks them from installing.It works well with blocking many known threats but there is always the possibility that something new can come along and bypass it. If that happens though and we get logs about it then we'll add protection to the program for that new variant as well.The best part I suppose is that in less than a year MBAM has started to climb to the top of the list as one of the best products for removing Malware and a license purchased is good for life, ie. as the program gets better and better and newer features added you'd never have to pay for an update again. Link to post Share on other sites More sharing options...
Recommended Posts