Jump to content
Sign in to follow this  
BiB

Koobface-keeps coming back

Recommended Posts

Hi,

Have been experiencing a recurring virus/trojan problem. Had a google hijack thing which was removed by combination of MalwareBytes and McAfee, both softwares are up to date. Google redirect problem dissappeared but I am still getting Koobface popping up when screened with MalwareBytes. Malware Bytes finds and cleans it (McAfee last time didn't find it) but then it comes back. Any help/suggestions is appreciated. Below are logs of MalwareBytes' and Hijackthis.

cheers

B

------------------

Malwarebytes' Anti-Malware 1.36

Database version: 2096

Windows 5.1.2600 Service Pack 2

09/05/2009 07:59:35

mbam-log-2009-05-09 (07-59-35).txt

Scan type: Full Scan (C:\|)

Objects scanned: 200282

Time elapsed: 1 hour(s), 57 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bilada Bilican\Local Settings\Temp\jopaxx_1241825049.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\st_1241818752.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\st_1241837182.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

--------------------------------------------------------

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:31:40, on 09/05/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Registry Mechanic\RegMech.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guardian.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll

O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Rapportexe] "C:\Program Files\Trusteer\Rapport\bin\RapportService.exe" -start -after_boot

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKUS\S-1-5-21-2584911182-3619664057-2934198837-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Burta')

O4 - HKUS\S-1-5-21-2584911182-3619664057-2934198837-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Burta')

O4 - HKUS\S-1-5-21-2584911182-3619664057-2934198837-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Burta')

O4 - HKUS\S-1-5-21-2584911182-3619664057-2934198837-1008\..\Run: [userinit] C:\Documents and Settings\Burta\Application Data\userinit32.exe (User 'Burta')

O4 - HKUS\S-1-5-21-2584911182-3619664057-2934198837-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')

O4 - HKUS\S-1-5-21-2584911182-3619664057-2934198837-501\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Guest')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Post-it

Share this post


Link to post
Share on other sites

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Share this post


Link to post
Share on other sites

Hiya,

Please find below the combofix log. Hope it has worked out fine.

B

-----------------

ComboFix 09-05-08.03 - Bilada Bilican 10/05/2009 0:34.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1014.649 [GMT 1:00]

Running from: c:\documents and settings\Bilada Bilican\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Bilada Bilican\Application Data\wiaserva.log

c:\documents and settings\LocalService\Application Data\twain_32

c:\documents and settings\LocalService\Application Data\twain_32\user.ds

c:\documents and settings\NetworkService\Application Data\twain_32

c:\documents and settings\NetworkService\Application Data\twain_32\user.ds

c:\program files\iMeshBar

c:\program files\iMeshBar\bar\Cache\00115FE0

c:\program files\iMeshBar\bar\Cache\009A16E6

c:\program files\iMeshBar\bar\Cache\01A17591.bin

c:\program files\iMeshBar\bar\Cache\01A179A8.bmp

c:\program files\iMeshBar\bar\Cache\01A17CE4.bmp

c:\program files\iMeshBar\bar\Cache\files.ini

c:\program files\iMeshBar\bar\History\search

c:\program files\iMeshBar\bar\Settings\prevcfg.htm

c:\windows\system32\al.txt

c:\windows\system32\dz1.txt

c:\windows\system32\inform.dat

c:\windows\system32\p1.txt

c:\windows\system32\r24.txt

c:\windows\system32\wbem\grpconv.exe

.

((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))

.

2009-05-09 07:31 . 2009-05-09 07:31 -------- d-----w c:\program files\Trend Micro

2009-05-07 00:37 . 2009-05-07 00:37 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Opera

2009-05-06 20:28 . 2009-05-06 20:28 51624 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-06 20:27 . 2009-05-06 20:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-06 17:37 . 2009-05-06 17:37 -------- d-----w c:\documents and settings\All Users\Application Data\Fighters

2009-05-06 17:37 . 2009-05-06 17:55 -------- d-----w c:\program files\Fighters

2009-05-06 17:24 . 2008-12-11 07:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys

2009-05-06 17:24 . 2009-04-03 10:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys

2009-05-06 17:24 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys

2009-05-06 17:23 . 2009-05-06 17:25 -------- d-----w c:\program files\Common Files\PC Tools

2009-05-06 17:23 . 2008-12-10 10:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys

2009-05-06 17:23 . 2009-05-08 12:15 -------- d-----w c:\program files\Spyware Doctor

2009-05-06 17:23 . 2009-05-06 17:23 -------- d-----w c:\documents and settings\Bilada Bilican\Application Data\PC Tools

2009-05-06 17:23 . 2009-05-06 17:23 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-05-01 10:50 . 2009-05-01 10:50 -------- d-----w c:\program files\Windows Defender

2009-05-01 09:18 . 2009-05-01 09:18 -------- d-----w c:\documents and settings\Bilada Bilican\Application Data\Malwarebytes

2009-05-01 09:18 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-01 09:18 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-01 09:18 . 2009-05-01 09:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-01 09:18 . 2009-05-01 09:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-15 16:28 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-15 16:28 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll

2009-04-15 16:28 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-15 16:28 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 16:28 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-15 16:28 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 16:28 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 16:28 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 16:28 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 16:28 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-12 19:39 . 2009-04-12 19:39 -------- d-----w c:\program files\iPod

2009-04-12 19:38 . 2009-04-12 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-04-12 19:38 . 2009-04-12 19:40 -------- d-----w c:\program files\iTunes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-01 05:53 . 2006-11-04 14:45 51624 ----a-w c:\documents and settings\Burta\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-12 19:39 . 2008-12-07 16:17 -------- d-----w c:\program files\Common Files\Apple

2009-03-23 09:41 . 2009-03-23 09:41 -------- d-----w c:\program files\Dako

2009-03-22 21:55 . 2005-09-15 22:03 -------- d-----w c:\program files\World of Warcraft

2009-03-19 15:32 . 2006-09-19 14:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-18 00:33 . 2009-03-18 00:33 -------- d-----w c:\program files\Bonjour

2009-03-18 00:31 . 2009-03-18 00:30 -------- d-----w c:\program files\QuickTime

2009-03-06 14:44 . 2004-08-04 08:00 283648 ----a-w c:\windows\system32\pdh.dll

2009-03-05 23:59 . 2009-03-18 00:26 1900544 ----a-w c:\windows\system32\usbaaplrc.dll

2009-03-05 23:59 . 2008-12-07 16:18 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys

2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-28 13:09 . 2005-09-13 10:35 51624 ----a-w c:\documents and settings\Bilada Bilican\Application Data\GDIPFONTCACHEV1.DAT

2009-02-20 18:09 . 2004-08-04 08:00 78336 ----a-w c:\windows\system32\ieencode.dll

2009-02-09 10:20 . 2004-08-04 08:00 723456 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 10:20 . 2004-08-04 08:00 399360 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 10:20 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 10:20 . 2004-08-04 08:00 616960 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 10:20 . 2004-08-04 08:00 583168 ----a-r c:\documents and settings\Burta\Application Data\userinit32.exe

2009-02-09 10:19 . 2004-08-04 08:00 1846272 ----a-w c:\windows\system32\win32k.sys

2008-11-21 17:56 . 2008-11-21 17:52 297472 ----a-w c:\program files\qgene96.xls

2008-11-21 17:56 . 2008-11-21 17:52 311296 ----a-w c:\program files\qstats.xla

2002-07-30 14:37 . 2008-11-21 17:52 456192 ----a-w c:\program files\qgene384.xls

2002-07-30 14:37 . 2008-11-21 17:52 262656 ----a-w c:\program files\qgenedb.xls

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-01-23 19480616]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" [2009-03-08 980200]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]

"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-11-01 290816]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-09 180269]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-08-24 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Post-it

Share this post


Link to post
Share on other sites

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

Hi,

So, I have uninstalled Combofix, performed a full scan with Malware bytes and updated AVG, nothing came up. Everything seems to be working fine and no more redirects or slowed down processing.

Really appreciate the help :(.

Couple of quick questions:

- what else can I do to make sure there is nothing else on my computer? Did the combofix log give information about what was there and what was cleaned?

- How serious and malicious was the particular virus/trojan I had? Just out of curiosity, was it the case that it wasn't that serious so McAfee and Malware didn't pick it up? Or the search engine of those programmes not suitable for picking it up and so we had to use a different software?

best regards

B

Share this post


Link to post
Share on other sites

Hi,

Yes, the Combofix log showed what was still present or not. :(

I suggest you change all your passwords and be careful next time on facebook. :)

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.