Jump to content

Malwarebyte & Hijackthis logs


Lesky

Recommended Posts

Greetings.

Thanks for this forum.

I have done everything according to your "guidelines".

From these logs, is my system still infected?

Respectfully

Lesky

Malwarebytes log:

Malwarebytes' Anti-Malware 1.33

Database version: 1713

Windows 5.1.2600 Service Pack 2

2009-02-01 22:11:49

mbam-log-2009-02-01 (22-11-49).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|)

Objects scanned: 166317

Time elapsed: 1 hour(s), 3 minute(s), 20 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 6

Registry Data Items Infected: 0

Folders Infected: 6

Files Infected: 23

Memory Processes Infected:

G:\WINDOWS\system32\YcAoM3au.exe (Trojan.Obvod) -> Unloaded process successfully.

Memory Modules Infected:

G:\WINDOWS\system32\hgdfhsiueme.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.MSAntispyware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

Files Infected:

G:\WINDOWS\system32\hgdfhsiueme.dll (Trojan.Zlob.H) -> Delete on reboot.

G:\WINDOWS\system32\YcAoM3au.exe (Trojan.Obvod) -> Delete on reboot.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MSAntispyware) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP247\A0028079.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

G:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201121702156.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201122607343.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201163344734.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201194716828.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

G:\Documents and Settings\Lesky\Lokala inst

Link to post
Share on other sites

  • Root Admin

Please RESTART the computer and run again.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes Quick scan log:

Malwarebytes' Anti-Malware 1.33

Database version: 1718

Windows 5.1.2600 Service Pack 2

2009-02-03 12:48:00

mbam-log-2009-02-03 (12-48-00).txt

Scan type: Quick Scan

Objects scanned: 52311

Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

G:\Documents and Settings\Lesky\Lokala inst

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

  • Root Admin

Please look in this folder: g:\windows\Tasks\ and delete any .JOB files that are in there.

From Control Panel, Scheduled Tasks you can also look and remove them.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

There are 72 files in g:\windows\Tasks

They are all names AT9, AT73 etc. I need to right click on them to see that they have the extension .job

I just need to double check that I should delete all of these .job files? That would mean emptying the Task Folder.

I do not mean to be a pain in the ass, just wanted to be sure of this :D

Link to post
Share on other sites

  • Root Admin

Can you please uninstall DAEMON Tools Lite for now.

It is not Malware but is making it more difficult to track down the culprit of your infection due to how it manipulates and hides similar to a Rootkit.

Then after you've removed it (including the SPDT file) delete your current copy of Combofix and download a NEW copy and run it and post back that new log.

Thanks.

Link to post
Share on other sites

I appreciate you taking the time to help me.

I uninstalled Daemon Tools as requested and inactivated the SPDT file.

Here is the new Combofix log:

ComboFix 09-02-04.01 - Lesky 2009-02-05 0:28:18.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.2047.1685 [GMT 1:00]

K

Link to post
Share on other sites

  • Root Admin

Well I know the OS is not English, but it also does not look like a full Combofix log for some reason.

STEP 1

What is this? g:\program\Trend Micro Did you create the g:\program folder and put stuff in it?

STEP 2

Please delete or move these files

g:\windows\system32\YcAoM3au.exe_

g:\windows\wininit.ini

STEP 3

Please disable from running these programs

UseNeXT

uTorrent

STEP 4

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

STEP 5

Your version of Adobe Acrobat needs to be removed or updated.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

STEP 6

After the above please run this Anti-Virus scanner

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Then RESTART the computer and run the FULL GMER scan again and upload that log.

Make sure ALL programs are shut down and do not use it while it scans.

STEP 7

Also please let me know how the computer is running now and if there are still any signs of an infection.

Link to post
Share on other sites

1.

The only existing files in the Trend Micro Folder is G:\Program\Trend Micro\HijackThis

When I installed the program the folder was named Trend Micro per automatic.

2.

g:\windows\system32\YcAoM3au.exe_

g:\windows\wininit.ini

Is now both DELETED!

3.

Is UseNeXT causing problems? I had uninstalled with Revo uninstaller yesterday. Its still there some degree, disturbing your search for the infection root?

If so, do you have any advise on how to remove the remaining UseNeXT stuff?

As for Utorrent, should I just refrain from starting the program until we are done here?

4.

Done.

5.

Done.

Logs:

JavaRa 1.13 Removal Log.

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Feb 05 09:57:35 2009

Found and removed: Software\JavaSoft\Java2D\1.5.0_05

Found and removed: SOFTWARE\Classes\JavaPlugin.150_05

------------------------------------

Finished reporting.

Dr.Web CureIt Log

data002\32788R22FWJFW\psexec.cfexe;G:\Documents and Settings\Lesky\Skrivbord\ComboFix.exe\data002;Program.PsExec.171;;

data002;G:\Documents and Settings\Lesky\Skrivbord\ComboFix.exe;Archive contains infected objects;;

ComboFix.exe;G:\Documents and Settings\Lesky\Skrivbord;Archive contains infected objects;Moved.;

A0028570.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP250;Trojan.StartPage.1505;Deleted.;

A0028645.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP251;Trojan.StartPage.1505;Deleted.;

A0028780.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP253;Trojan.StartPage.1505;Deleted.;

A0028884.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP254;Trojan.StartPage.1505;Deleted.;

A0029046.EXE;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP255;Program.PsExec.170;Incurable.Moved.;

A0029164.reg;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP255;Trojan.StartPage.1505;Deleted.;

A0030208.dll;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP261;Trojan.DownLoader.origin;Incurable.Moved.;

A0030515.EXE;G:\System Volume Information\_restore{FBA510F7-69CB-4693-A685-01EABF278D34}\RP265;Program.PsExec.170;Incurable.Moved.;

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:43:28, on 2009-02-05

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\WINDOWS\system32\nvsvc32.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\Explorer.EXE

G:\Program\Microsoft Office\Office12\GrooveMonitor.exe

G:\WINDOWS\system32\RUNDLL32.EXE

G:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe

G:\Program\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe

G:\Program\HP\HP Software Update\HPWuSchd2.exe

G:\Program\ekort\ekort.exe

G:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exe

G:\WINDOWS\system32\OBroker.exe

G:\WINDOWS\system32\ctfmon.exe

G:\Program\MSN Messenger\MsnMsgr.Exe

G:\Program\ICQ\ICQ.exe

G:\WINDOWS\system32\wuauclt.exe

G:\Program\Mozilla Firefox\firefox.exe

G:\WINDOWS\system32\NOTEPAD.EXE

G:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L

Link to post
Share on other sites

  • Root Admin

Please clear the System Restore area now.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Then see if you can run another round of MBAM scans.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

How is the computer running now?

Are there still any signs of an infection?

Thanks.

Link to post
Share on other sites

Malwarebytes log:

Malwarebytes' Anti-Malware 1.33

Database version: 1731

Windows 5.1.2600 Service Pack 2

2009-02-05 17:28:49

mbam-log-2009-02-05 (17-28-49).txt

Scan type: Quick Scan

Objects scanned: 52216

Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:27:20, on 2009-02-05

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\spoolsv.exe

G:\WINDOWS\system32\userinit.exe

G:\WINDOWS\Explorer.EXE

G:\Program\Microsoft Office\Office12\GrooveMonitor.exe

G:\WINDOWS\system32\RUNDLL32.EXE

G:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe

G:\Program\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe

G:\Program\HP\HP Software Update\HPWuSchd2.exe

G:\Program\ekort\ekort.exe

G:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exe

G:\WINDOWS\system32\ctfmon.exe

G:\Program\ICQ\ICQ.exe

G:\Program\MSN Messenger\MsnMsgr.Exe

G:\WINDOWS\system32\OBroker.exe

G:\WINDOWS\system32\nvsvc32.exe

G:\WINDOWS\system32\svchost.exe

G:\Program\Trend Micro\HijackThis\HijackThis.exe

G:\Program\Mozilla Firefox\firefox.exe

G:\WINDOWS\system32\imapi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L

Link to post
Share on other sites

  • Root Admin

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP 1

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe

STEP 2

Uninstall GMER

Click on
START - RUN
and type in or copy/paste
%windir%\gmer_uninstall.cmd
to remove GMER.

STEP 3

Uninstall other tools

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

I highly suggest you upgrade IE6 to IE7 it's more secure, and update SP2 to SP3 for XP.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

  • Root Admin

Yes you can remove the quarantine files from Dr Web and remove Dr Web if you like..

The paid version of MBAM offers live blocking and automated updates and scheduled scanning.

Basically it runs all the time and as you use the computer it is looking for known exploits and blocks them from installing.

It works well with blocking many known threats but there is always the possibility that something new can come along and bypass it. If that happens though and we get logs about it then we'll add protection to the program for that new variant as well.

The best part I suppose is that in less than a year MBAM has started to climb to the top of the list as one of the best products for removing Malware and a license purchased is good for life, ie. as the program gets better and better and newer features added you'd never have to pay for an update again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.