Jump to content

Can't Remove Trojan.Vundo.H


Recommended Posts

I can't kill Trojan.Vundo.H I am using the latest Malwarebytes Release and also the latest defintions. Also I can't uninstall "Total Security" spyware app by using Add/Remove Programs.

I appreciate your help, thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:29:22 PM, on 9/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/

O2 - BHO: (no name) - {02944EC4-EEA3-4F49-BA68-F013069C08A3} - C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {85C64ED9-D2B8-4E05-96D9-DF58F65CAA68} - c:\windows\system32\cthkcon.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'Default user')

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://72.236.138.36/activex/AMC.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\cthkcon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 6716 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 2791

Windows 5.1.2600 Service Pack 3

9/13/2009 3:36:44 PM

mbam-log-2009-09-13 (15-36-44).txt

Scan type: Full Scan (C:\|)

Objects scanned: 166875

Time elapsed: 46 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85c64ed9-d2b8-4e05-96d9-df58f65caa68} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\djpzioeb (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{85c64ed9-d2b8-4e05-96d9-df58f65caa68} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02944ec4-eea3-4f49-ba68-f013069c08a3} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{02944ec4-eea3-4f49-ba68-f013069c08a3} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\cthkcon.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT)by right-clicking the desktop shortcut and choosing "Run as Administrator". Choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O2 - BHO: (no name) - {02944EC4-EEA3-4F49-BA68-F013069C08A3} - C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (file missing)

O2 - BHO: (no name) - {85C64ED9-D2B8-4E05-96D9-DF58F65CAA68} - c:\windows\system32\cthkcon.dll

O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\cthkcon.dll

Close HJT

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

---

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as explorer.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofix.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT)by right-clicking the desktop shortcut and choosing "Run as Administrator". Choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O2 - BHO: (no name) - {02944EC4-EEA3-4F49-BA68-F013069C08A3} - C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (file missing)

O2 - BHO: (no name) - {85C64ED9-D2B8-4E05-96D9-DF58F65CAA68} - c:\windows\system32\cthkcon.dll

O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\cthkcon.dll

Close HJT

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

---

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as explorer.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofix.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

As requeGMER 1.0.15.15077 [bss77s9v.exe] - http://www.gmer.net

Rootkit quick scan 2009-09-13 23:12:45

Windows 5.1.2600 Service Pack 3

as requested here is the clipboard contents from the Antirootkit program:

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

As requeGMER 1.0.15.15077 [bss77s9v.exe] - http://www.gmer.net

Rootkit quick scan 2009-09-13 23:12:45

Windows 5.1.2600 Service Pack 3

as requested here is the clipboard contents from the Antirootkit program:

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Here is the latest information files - Ark.txt, Combo.fix and another Hijackthis that was run after the Combo.fix

I notice that I still have a "Total Security" Application that shows up in my Add/Remove Application Listing, what has to be done to get rid of that piece of spyware? Thanks. I appreciate your help.

GMER 1.0.15.15077 [trqcgsrc.exe] - http://www.gmer.net

Rootkit scan 2009-09-14 01:28:09

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT E1B37400 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 82FE6570

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----

ComboFix 09-09-13.05 - Mike Roy Auto 09/14/2009 1:46.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.184 [GMT -4:00]

Running from: c:\documents and settings\Mike Roy Auto\Desktop\Cb1231.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\TS\tsc.exe

c:\recycler\S-1-5-21-1433678514-3411340332-2596020146-1003

c:\recycler\S-1-5-21-515967899-1580436667-725345543-1003

c:\windows\system32\cthkcon.dll

c:\windows\system32\drivers\uhyeybry.sys

c:\windows\system32\drivers\wceclzsu.sys

c:\windows\system32\vghmhrxf.dll

c:\windows\system32\wsyyhze.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WCECLZSU

-------\Service_wceclzsu

((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))

.

2009-09-14 03:03 . 2009-09-14 05:30 -------- d-----w- C:\Ark

2009-09-13 19:55 . 2009-09-13 19:55 -------- d-----w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\Mozilla

2009-09-13 15:48 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-13 15:48 . 2009-09-13 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-13 15:48 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-13 06:44 . 2004-03-05 03:46 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-09-13 06:44 . 2004-03-05 03:46 82832 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-13 06:43 . 2009-09-13 06:44 -------- d-----w- c:\program files\Symantec

2009-09-13 06:43 . 2009-09-14 05:56 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-13 06:43 . 2009-09-13 06:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-13 06:04 . 2009-09-13 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\SUPERAntiSpyware.com

2009-09-13 05:44 . 2009-09-13 05:44 -------- d-----w- c:\program files\CCleaner

2009-09-13 04:46 . 2009-09-13 04:46 -------- d-----w- c:\program files\Trend Micro

2009-09-12 15:32 . 2009-09-13 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-12 14:57 . 2009-09-12 14:57 -------- d-----w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde

2009-09-12 14:57 . 2009-09-12 14:57 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde

2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\Malwarebytes

2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-11 18:03 . 2009-09-11 18:03 -------- d-----w- c:\program files\Common Files\TSUninstall

2009-09-11 18:02 . 2009-09-14 05:53 -------- d-----w- c:\program files\TS

2009-09-10 19:38 . 2009-09-10 19:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde

2009-09-10 19:38 . 2009-09-10 19:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\hgmxqsde

2009-09-08 19:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-14 03:23 . 2007-03-24 15:49 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\OpenOffice.org2

2009-09-13 15:36 . 2007-12-18 19:35 -------- d-----w- c:\program files\Coupons

2009-09-13 07:42 . 2007-12-08 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-13 07:28 . 2007-12-08 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-13 06:43 . 2004-05-12 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-13 04:52 . 2007-04-23 17:15 -------- d-----w- c:\program files\WebIQ

2009-09-12 16:03 . 2009-01-09 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-09-12 16:00 . 2009-07-27 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2009-08-27 17:50 . 2007-03-27 16:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\AdobeUM

2009-08-22 14:16 . 2009-01-09 22:46 -------- d-----w- c:\program files\NortonInstaller

2009-08-22 14:14 . 2009-01-09 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-14 10:58 . 2009-09-12 15:34 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-07 14:21 . 2007-03-24 02:59 56504 ----a-w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\MSBuild

2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-27 14:18 . 2009-07-27 14:17 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\DriverCure

2009-07-27 14:16 . 2009-07-27 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-07-17 19:01 . 2004-05-12 09:42 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 16:21 . 2004-05-12 10:07 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2005-10-21 17:51 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-05-12 09:42 17408 ------w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2004-05-12 09:43 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-05-12 09:43 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-05-12 09:43 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-05-12 09:42 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-05-12 09:42 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-24 11:18 . 2004-05-12 09:42 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-05-12 09:43 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-05-12 09:42 81920 ----a-w- c:\windows\system32\fontsub.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-12 77824]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]

c:\documents and settings\Mike Roy Auto\Start Menu\Programs\Startup\

OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 5:56 PM 173392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WCECLZSU

*Deregistered* - wceclzsu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ofgmwotm

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.236.138.36/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Mike Roy Auto\Application Data\Mozilla\Firefox\Profiles\vibazv7k.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-14 01:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3892)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\OpenOffice.org 2.1\program\soffice.exe

c:\program files\OpenOffice.org 2.1\program\soffice.bin

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

.

**************************************************************************

.

Completion time: 2009-09-14 2:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-14 06:02

Pre-Run: 62,896,451,584 bytes free

Post-Run: 66,088,554,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

188 --- E O F --- 2009-09-11 18:28

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:09:13 AM, on 9/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Mike Roy Auto\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'Default user')

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://72.236.138.36/activex/AMC.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 6421 bytes

Link to post
Share on other sites

I'm glad your computer is better but your Combofix log still shows some infected items which I will help you remove with a customized script. You should do this so the infection doesn't resurface again.

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled)

Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
wceclzsu

Folder::
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde
c:\program files\Common Files\TSUninstall
c:\program files\TS
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde
c:\documents and settings\NetworkService\Application Data\hgmxqsde
c:\documents and settings\All Users\Application Data\ParetoLogic

Netsvc::
ofgmwotm

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (Cb1231.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

Link to post
Share on other sites

I'm glad your computer is better but your Combofix log still shows some infected items which I will help you remove with a customized script. You should do this so the infection doesn't resurface again.

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled)

Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
wceclzsu

Folder::
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde
c:\program files\Common Files\TSUninstall
c:\program files\TS
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde
c:\documents and settings\NetworkService\Application Data\hgmxqsde
c:\documents and settings\All Users\Application Data\ParetoLogic

Netsvc::
ofgmwotm

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (Cb1231.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

Wow, thanks for being soo dilligent. I will run that tonight and get back to you.

Thanks again.

Mike

Link to post
Share on other sites

OK I uninstalled Symantec last night and installed avast this morning. I will make sure to disable avast first prior to running it.

Thanks again. Will be getting back to you tonight.

Mike

Here is the contents of the log file Combofix.txt, I am looking forward to hearing from you.

Thanks, Mike

ComboFix 09-09-14.02 - Mike Roy Auto 09/14/2009 20:36.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.232 [GMT -4:00]

Running from: c:\documents and settings\Mike Roy Auto\Desktop\cb1231.exe

Command switches used :: c:\documents and settings\Mike Roy Auto\Desktop\cfscript.txt

AV: avast! antivirus 4.8.1351 [VPS 090914-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\ParetoLogic

c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Master.xml

c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Patch.xml

c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Update.xml

c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Master.xml

c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Patch.xml

c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Update.xml

c:\documents and settings\Diann Jasinski\Application Data\Microsoft\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\profiles.ini

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\cert8.db

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\compatibility.ini

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\compreg.dat

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\cookies.sqlite

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\formhistory.sqlite

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\key3.db

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\localstore.rdf

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\permissions.sqlite

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\places.sqlite

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\pluginreg.dat

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\prefs.js

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\secmod.db

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\webappsstore.sqlite

c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\xpti.dat

c:\documents and settings\Mike Roy Auto\Application Data\Microsoft\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe

c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde

c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde\Profiles\uibmp3o1.default\urlclassifier3.sqlite

c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde\Profiles\uibmp3o1.default\XPC.mfl

c:\documents and settings\NetworkService\Application Data\hgmxqsde

c:\documents and settings\NetworkService\Application Data\hgmxqsde\profiles.ini

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\cert8.db

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\compatibility.ini

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\compreg.dat

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\cookies.sqlite

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\formhistory.sqlite

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\key3.db

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\localstore.rdf

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\permissions.sqlite

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\places.sqlite-journal

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\places.sqlite

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\pluginreg.dat

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\prefs.js

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\secmod.db

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\webappsstore.sqlite

c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\xpti.dat

c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde

c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\urlclassifier3.sqlite

c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\XPC.mfl

c:\program files\Common Files\TSUninstall

c:\program files\Common Files\TSUninstall\Uninstall.lnk

c:\program files\TS

c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WCECLZSU

((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))

.

2009-09-14 12:31 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-09-14 12:31 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-09-14 12:31 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-09-14 12:31 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-09-14 12:31 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-09-14 12:31 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-09-14 12:31 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-09-14 12:31 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-09-14 12:31 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-09-13 19:55 . 2009-09-13 19:55 -------- d-----w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\Mozilla

2009-09-13 06:04 . 2009-09-13 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\SUPERAntiSpyware.com

2009-09-13 05:44 . 2009-09-13 05:44 -------- d-----w- c:\program files\CCleaner

2009-09-13 04:46 . 2009-09-13 04:46 -------- d-----w- c:\program files\Trend Micro

2009-09-12 15:32 . 2009-09-13 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\Malwarebytes

2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-08 19:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-14 22:54 . 2007-03-24 15:49 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\OpenOffice.org2

2009-09-14 12:24 . 2004-05-12 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-14 12:22 . 2007-12-08 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-14 12:22 . 2007-12-08 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-13 15:36 . 2007-12-18 19:35 -------- d-----w- c:\program files\Coupons

2009-09-13 04:52 . 2007-04-23 17:15 -------- d-----w- c:\program files\WebIQ

2009-09-12 16:03 . 2009-01-09 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-09-12 16:00 . 2009-07-27 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2009-08-27 17:50 . 2007-03-27 16:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\AdobeUM

2009-08-22 14:16 . 2009-01-09 22:46 -------- d-----w- c:\program files\NortonInstaller

2009-08-22 14:14 . 2009-01-09 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-14 10:58 . 2009-09-12 15:34 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-07 14:21 . 2007-03-24 02:59 56504 ----a-w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\MSBuild

2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-27 14:18 . 2009-07-27 14:17 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\DriverCure

2009-07-17 19:01 . 2004-05-12 09:42 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 16:21 . 2004-05-12 10:07 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2005-10-21 17:51 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-05-12 09:42 17408 ------w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2004-05-12 09:43 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-05-12 09:43 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-05-12 09:43 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-05-12 09:42 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-05-12 09:42 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-24 11:18 . 2004-05-12 09:42 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-14_05.57.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-15 00:43 . 2009-09-15 00:43 16384 c:\windows\temp\Perflib_Perfdata_478.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-12 77824]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]

c:\documents and settings\Mike Roy Auto\Start Menu\Programs\Startup\

OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2009 8:31 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2009 8:31 AM 20560]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.236.138.36/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Mike Roy Auto\Application Data\Mozilla\Firefox\Profiles\vibazv7k.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

AddRemove-BigFix - c:\windows\ISUNINST.EXE -fc:\program files\BigFix\Uninst.isu

AddRemove-Lexmark X6100 Series - c:\windows\system32\spool\drivers\w32x86\3\LXBFUN5C.EXE

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-14 20:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1356)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\system32\HPZipm12.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\OpenOffice.org 2.1\program\soffice.exe

c:\program files\OpenOffice.org 2.1\program\soffice.bin

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

.

**************************************************************************

.

Completion time: 2009-09-15 20:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-15 00:49

ComboFix2.txt 2009-09-14 06:02

Pre-Run: 66,137,145,344 bytes free

Post-Run: 66,154,446,848 bytes free

213 --- E O F --- 2009-09-11 18:28

Link to post
Share on other sites

Good job! Your computer appears to be clean now. :)

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 16, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to Java Runtime Environment (JRE) 6 Update 16, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "JRE 6 Update 16

This special release provides a few key fixes", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 16 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. If the Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

-

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\cb1231.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

You're welcome! You were infected with a rogue security program called Total Security and Delf / Boaxxe which installs a driver and fake Firefox directory to hold the infection in place. The delf driver is randomly named so it is difficult to target.

http://www.threatexpert.com/report.aspx?md...d1d64cfe28116b7

As far as training to become a malware removal advisor - here is a list of forums that offer such programs:

Spywareinfoforum Boot Camp:

http://www.spywareinfoforum.com/index.php?showtopic=34

Malware Removal Forum training program at Bleeping Computer:

http://www.bleepingcomputer.com/forums/topic86678.html

Geek University at Geeks to Go

http://www.geekstogo.com/forum/index.php?a...&page=GeekU

Malware Removal University (you have to register to see the page):

http://www.malwareremoval.com/university.php

SpywareHammer's Academy offers one-on-one training with a mentor who is assigned to you:

http://spywarehammer.com/simplemachinesforum/index.php

If interested, you need to contact Bugbatter to request admittance but Register first.

http://spywarehammer.com/simplemachinesfor...ion=profile;u=9

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.