Jump to content

Infected once again


Recommended Posts

System information (Toshiba laptop PC, Windows XP Home, XP firewall, Internet Explorer 7, AVG 8.5 Free Edition, ZyXEL wired router)

Unfortunately, my PC has once again been under attack from viruses, which is frustrating after receiving (excellent) support from AdvancedSetup to clean it. I got infected this time after clicking on a link at an image hosting site (no it was not pornography, unless you consider movie cars as such). Strangely and as chance would have it, I experienced very similar symptoms with the initial infection to what I suffered the first time I needed help at this site.

No image appeared on the site and instead there was a black screen, followed by a message from Adobe Reader asking if I wanted to enable JavaScript (as I had turned it off for security reasons). I hadn't clicked on a PDF link so this was unexpected. I closed the window without allowing JavaScript to be enabled and straight away afterwards, I received a message that my XP Firewall was once again disabled. For the record, I hadn't got round to installing Online Armor Free, that AdvancedSetup recommended, as I was planning to buy new Firewall software in the next few days.

I quickly re-enabled it, closed Internet Explorer and then ran CCleaner to delete all temporary files. I then examined the Temp folder in the Local Settings folder and found that two files had survived. Once again I saw a familiar file from last time, called Serr.tmp, along with another .tmp file with an unrecognisable name. Soon afterwards, more .tmp files started to appear in the Temp folder and the number continued to grow. They had various names, some longer than others. Through a state of panic and dread, I started manually trying to delete them but several were protected (I could kill a few of them though). I then realised I needed to kill my internet connection (normally this is the first thing I do but I stupidly forgot) as more and more files were being downloaded. Many of the files were listed as letters of the alphabet and were simply labelled: a.tmp, b.tmp, c.tmp and so on.

During this, in the System Tray, an icon that looked like the Windows Security Centre red warning shield appeared. It was almost identical looking but looked a ever so slightly different in shape and colour. It kept bringing up a balloon saying that my PC had been infected by a virus. Closing it would only keep it away for a few seconds. At the same time, a window would pop-up trying to access a website. As I had switched off my router I don't know what this would have shown.

I ran MBAM soon after and it successfully managed to kill multiple viruses. Using Quick Scan, it found about 6-8 viruses near the beginning of the scan and then near the end, that number went right up. Two of them could only be removed on a reboot.

Upon reboot the system appeared clean and that bogus Security Centre icon had gone. I ran MBAM again, which didn't find anything. However, Windows Security Centre had been switched off, as had the firewall. I could switch the firewall back on after I received a warning that certain services had been stopped but Security Center doesn't show any status now. Nothing appears in System Tray and looking at its main window, there are no longer status panels for the firewall, Windows Updates or the Anti-Virus software. Also, on the left hand side of the window, in the Resources panel, "Change the way Security Centre alerts me" has been greyed out and disabled.

CheckDisk is working fine. System Restore will let me make a new Restore Point and even allow me to load an earlier one but upon a reboot, it always says that the restore has failed.

I also get an error on bootup that PadExe.exe has encountered a problem and has stopped working. Thankfully, I use a mouse so I can still use the PC but this is annoying nonetheless. Like my previous infection, I encountered this error before.

Lastly, upon reboot, I see the Temp folder always has the same two files/folders. I can delete them manually without trouble but they always return. There is one single file called FEE5E75C.TMP and one folder called WPDNSE. The folder is always empty. They return upon every reboot but the date and time are different each time they are newly created. They do not have the current date and time that the PC has started up. I don't know if these are something malicious or not.

I don't know if my system is clean and that the problems with Security Centre, System Restore and PadExe are down to damage. To be certain though, I ask again for your help. I've also realised not to visit image hosting sites in the future, no matter what the content, as it appears too risky.

Seeing as I am familiar with the initial details, I have copied and pasted the MBAM log that showed the viruses, followed by a HijackThis log.

MBAM log:

Malwarebytes' Anti-Malware 1.41

Database version: 2852

Windows 5.1.2600 Service Pack 3

29/09/2009 00:27:46

mbam-log-2009-09-29 (00-27-46).txt

Scan type: Quick Scan

Objects scanned: 98412

Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Unloaded process successfully.

C:\Documents and Settings\user\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Unloaded process successfully.

C:\WINDOWS\msa.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\user\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\user\Local Settings\temp\UAC3ebf.tmp (Rootkit.TDSS) -> Delete on reboot.

C:\Documents and Settings\user\Local Settings\temp\UAC3ecf.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\user\Local Settings\temp\xomprqqowp.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\user\Local Settings\temp\d.exe (Trojan.Downloader) -> Delete on reboot.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:26:57, on 29/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\LTSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\NoAds\NoAds.exe

C:\Program Files\HACE\Mmm\Mmm.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\GetRight\GetRight.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"

O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 8397 bytes

Thanks again in advance for your help and I apologise for once more taking up your time.

Regards.

Link to post
Share on other sites

  • Root Admin

Hello,

Let's clean it up again and this time maybe think about changing around your security software.

Please run the following and post back the log.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Hello again.

Sorry I couldn't respond sooner. I was experiencing bad internet performance for the entire day yesterday. Speeds were either erratic, jumping constantly from 200KB to 400KB a second, or I was seeing virtually dial-up modem performance as I couldn't get faster than 10KB a second. It varied wherever I was downloading from and I couldn't get my usual 8Mbit speed. MBAM took twenty minutes to get the latest update. According to my ISP, there were some serious problems on the network but the area they listed it in was nowhere near where I live. It seems a lot better now so I am assuming that my speed issues were not related to any infection, although I am not 100% certain.

I successfully ran ComboFix. It took a long time to finish up, longer than when I had used it for my first infection. I didn't switch off my router while running it and I could connect to this site fine after running it, without needing to reboot.

Here are the following logs.

ComboFix.txt:

ComboFix 09-09-29.02 - user 30/09/2009 7:26.3.1 - NTFSx86

Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\run.log

.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))

.

2009-09-29 23:59 . 2009-09-29 23:59 -------- d-----w- c:\program files\FLV Player

2009-09-29 23:20 . 2009-09-30 00:03 -------- d-----w- c:\documents and settings\user\Application Data\BID

2009-09-20 19:25 . 2009-09-20 21:37 -------- d-----w- c:\documents and settings\user\DoctorWeb

2009-09-13 02:38 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-13 02:38 . 2009-09-13 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-13 02:38 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes

2009-09-03 03:25 . 2009-09-03 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-31 21:37 . 2009-08-31 21:37 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-30 06:02 . 2007-06-28 00:17 -------- d-----w- c:\program files\GetRight

2009-09-29 23:20 . 2007-07-03 20:38 -------- d-----w- c:\program files\Bulk Image Downloader

2009-09-29 06:31 . 2008-04-20 17:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-29 06:28 . 2007-07-15 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-29 01:22 . 2007-12-29 12:48 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2009-09-04 00:19 . 2005-05-27 22:46 -------- d-----w- c:\program files\ahead

2009-09-03 23:36 . 2003-12-03 15:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-03 23:36 . 2007-08-13 07:14 -------- d-----w- c:\program files\Real

2009-09-03 23:32 . 2008-03-11 21:50 -------- d-----w- c:\program files\Meridian Advance

2009-09-03 01:45 . 2009-04-16 05:46 -------- d-----w- c:\program files\PicaLoader

2009-08-24 02:17 . 2009-02-27 16:43 123 ----a-w- C:\drmHeader.bin

2009-08-21 10:05 . 2009-07-17 17:33 -------- d-----w- c:\documents and settings\user\Application Data\Free Audio Editor

2009-08-21 05:10 . 2008-06-19 10:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-21 05:10 . 2008-06-19 10:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-21 05:10 . 2008-06-19 10:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\eventlog.dll

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NoAds"="c:\program files\NoAds\NoAds.exe" [2007-10-27 151552]

"Mmm"="c:\program files\HACE\Mmm\Mmm.exe" [2005-07-05 828416]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-05-23 253952]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-07-17 159744]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 122880]

"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 1019904]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]

"LTSMMSG"="LTSMMSG.exe" - c:\windows\ltsmmsg.exe [2003-04-18 32768]

"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-15 73728]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-27 266240]

"TFncKy"="TFncKy.exe" [bU]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 809488]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2007-6-28 4628752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-21 05:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [x]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-21 335240]

S1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2008-05-24 53760]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-21 297752]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.live.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-30 07:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2888162382-313132713-241459312-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(424)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

Completion time: 2009-09-30 7:38

ComboFix-quarantined-files.txt 2009-09-30 06:37

Pre-Run: 2,550,685,696 bytes free

Post-Run: 2,524,905,472 bytes free

125

ComboFix-quarantined-files.txt:

2009-09-30 06:32:07 . 2009-09-30 06:32:07 6,656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-09-30 06:24:47 . 2009-09-30 06:24:47 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2009-09-28 23:12:30 . 2009-09-28 23:12:30 10 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\run.log.vir

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:06:52, on 30/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\LTSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\NoAds\NoAds.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"

O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" (User '?')

O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe" (User '?')

O4 - HKUS\S-1-5-21-2888162382-313132713-241459312-1006\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238014490265

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 8537 bytes

I saw that error again when I tried to do a scan and log in HijackThis. It brings up an error window shortly after running a scan and then carries on after I have clicked Yes or No to send off a bug report. I haven't actually sent off a report because I didn't want to risk it interfering with the IE window I already had running (I ran HJT as I was making this post). I don't know if this error occurs because I have IE running but the error only shows up the first time and doesn't affect the scan. This time I have actually written it down and is shown as follows (I have left out certain text outside of the error code):

An unexpected error has occurred at procedure: modRegistry_IniGetString (sFile=system.ini, sSection=boot, sValue=Shell)

Error #5 - Invalid procedure call or argument

Thank you once again for your assistance.

Regards.

Link to post
Share on other sites

  • Root Admin

Please fully uninstall Spybot S&D for now.

Click on START - RUN and copy/paste the following into the run line at hit OK

CMD /C COPY c:\windows\$NtServicePackUninstall$\eventlog.dll C:\WINDOWS\SYSTEM32

Then run the following.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Then from within Internet Explorer click on Tools/Internet Options/Advanced and click on the RESET button.

Now RESTART THE COMPUTER.

Then run the following

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Then click on START - RUN and copy/paste into the run line and hit OK

notepad c:\windows\system.ini

Then select all and copy/paste the contents back here on your next reply.

Then click on START - RUN and copy/paste into the run line and hit OK

notepad c:\windows\win.ini

Then select all and copy/paste the contents back here on your next reply.

Link to post
Share on other sites

Spybot was successfully uninstalled, although I had to delete an associated folder in Documents & Settings. I forgot to check Program Files until after I did all these scans and deletions. There are lots of files still in there. This may have been caused by an old Restore Point as I was unable to uninstall Spybot until I installed a new version one day before I got the recent virus infection. I didn't have TeaTimer activated, just the added Internet Explorer protection. This aside, I hadn't noticed any trouble running the tasks you asked me to do and IE7 looks like it was when I first installed it.

Java was also successfully uninstalled. I needed to manually delete Sun folders from several places after running JavaRa. In Documents & Settings, I also found the Sun folder in the "Administrator" and "Default User" folders, as well as "All Users" and "user". I removed those as well, seeing as you said to remove all versions of Java.

Here is JavaRa.log:

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Oct 01 01:19:17 2009

Found and removed: SOFTWARE\Classes\JavaPlugin.150_03

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410200

Found and removed: SOFTWARE\Classes\JavaPlugin.142

------------------------------------

Finished reporting.

Next up is the latest MBAM log. I have run MBAM several times since the recent infection. Other than the first log I posted in this thread, MBAM has not detected anything:

Malwarebytes' Anti-Malware 1.41

Database version: 2879

Windows 5.1.2600 Service Pack 3

01/10/2009 02:09:56

mbam-log-2009-10-01 (02-09-56).txt

Scan type: Quick Scan

Objects scanned: 98398

Time elapsed: 7 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Next is System.ini:

; for 16-bit app support

[drivers]

wave=mmdrv.dll

timer=timer.drv

[mci]

[driver32]

[386enh]

woafont=app850.FON

EGA80WOA.FON=EGA80850.FON

EGA40WOA.FON=EGA40850.FON

CGA80WOA.FON=CGA80850.FON

CGA40WOA.FON=CGA40850.FON

Next is win.ini:

; for 16-bit app support

[fonts]

[extensions]

[mci extensions]

[files]

[Mail]

MAPI=1

[MCI Extensions.BAK]

aif=MPEGVideo

aifc=MPEGVideo

aiff=MPEGVideo

asf=MPEGVideo2

asx=MPEGVideo2

au=MPEGVideo

m1v=MPEGVideo

mp2=MPEGVideo

mp2v=MPEGVideo

mpa=MPEGVideo

mpe=MPEGVideo

mpeg=MPEGVideo

mpg=MPEGVideo

mpv2=MPEGVideo

snd=MPEGVideo

wax=MPEGVideo2

wm=MPEGVideo2

wma=MPEGVideo2

wmv=MPEGVideo2

wmx=MPEGVideo2

wvx=MPEGVideo2

wpl=MPEGVideo

m2v=MPEGVideo

mod=MPEGVideo

mp3=MPEGVideo

m3u=MPEGVideo

[RAD Video Tools]

Path=C:\Documents and Settings\user\My Documents\RRogueTrooperAddons\Rogue Trooper Addons\trtraa\Sounds\Streams

BinkComp=/d650000 /m3.0 /l4 /p8

BinkMix=

SmackComp=/l104

SmackMix=/l104

BinkPlay=

SmackPlay=

BinkConv=/v

X=212

Y=123

W=563

H=538

[bOP]

forcemono=off

screensave=on

click=on

[MSUCE]

Advanced=0

CodePage=Unicode

Font=Arial

Rogue Trooper is a game and I had copied the movies to My Docs to view separately from the game. I'm not sure why the Pathname for it is still there though as neither the game nor the movies are currently on my hard disk.

After deleting Java, resetting IE7 and rebooting the PC, I see that Windows Security Centre is active again. The status panels for the Firewall, Windows Update and Virus Protection are visible once more, as is the red warning shield in the System Tray (because I have disabled Windows Updates).

I also got a notification window, upon bootup, saying that Adobe Flash Player had an update. I guess that was just coincidence and probably because I had previously told it to remind me later after 30 days.

Thanks again.

Link to post
Share on other sites

  • Root Admin

Okay, let's get an AV scan from NOD32 then.

How is the computer running now? Are there still signs of an infection?

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 16.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java SE Runtime Environment (JRE) - JRE 6 Update 16 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u16-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Link to post
Share on other sites

The PC seems to be running fine so far. I haven't seen (or heard) any signs of anything nasty. I haven't yet tried performing a System Restore (after making a new Restore Point where things seem okay) to see if a Restore op will actually work once again.

The PC did appear to hang two days ago briefly. This happened during initial bootup, where you get to the Logon screen. The Windows screen saver came on as I had gone off to do something else while I was waiting for it to boot up (I often see plenty of disk access at the Logon screen so I prefer to let it do what it wants to before I log in and cause it to load up yet more). I moved the mouse and the screen went completely black. Nothing happened for just under a minute. No disk access or anything. Normally the screen saver will disappear straight away as soon as I move the mouse. However, I deliberately left it today so the screen saver would come on at the Logon screen and this time it responded fine.

Here is the log for NOD32:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=cf5e79d1be913942bfcccf9d9a7fda7f

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2009-10-01 08:31:05

# local_time=2009-10-01 09:31:05 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1026 21 66 100 35976343437500

# scanned=382104

# found=0

# cleaned=0

# scan_time=11458

I also ran Dr. Web (although I didn't update it as I don't really know what "launch.exe" is) and that didn't find anything either. I ran that because I remember that picking up something that other software had missed during the last infection I got. I downloaded it again as I remember you asking me to use that last time, and wanted to see if anything new would appear.

Regards.

Link to post
Share on other sites

  • Root Admin

Well difficult to tell. Computers can be finicky and with so many different versions of software and drivers it's a wonder they work at all.

1. Keep all Microsoft security updates up to date

2. Keep Anti-Virus up to date and always running

3. A paid version of MBAM can also help to prevent this from happening.

Uninstall the combofix as before..

Let me leave you with this though for working on speeding up the computer.

Computer and browser slowness are not always malware related

Poor performance and other problems can be the result of disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.

Listed below are a few things you can do to improve speed and system performance. Many of the these suggestions will apply if you're using Windows Vista but may be done a bit differently. Near the bottom of this thread there is a section specifically devoted to Vista Users.

For browser problems, see:

If your having connectivity issues or errors such as Page cannot be displayed see

If you're using Vista or Internet Explorer 7, see

If you have a lot of toolbars and add-ons attached to Internet Explorer, you could try improving performance by disabling those which are unecessary. See:

Link to post
Share on other sites

Thank you for all of those tips. They will come in handy if I ever need to reinstall Windows on this PC or buy a new machine. This laptop is old now (dated late 2003) but I do very little PC gaming, so have never felt truly pushed to replace it. It feels like it was limited from the very beginning though as the graphics chip can't handle very much. I had to upgrade the RAM to improve performance but even now, any webpages with Flash animations cause the PC to become sluggish. Even simple things like mouse wheel scrolling becomes laboured if Flash ads are on the page.

Seeing as one of the main viruses that infected my PC this time was identical or related to the one that infected my PC before, when I needed your help, is it worth running any of the other commands that you advised me to do in my other thread? Commands such as flushing the DNS, resetting the firewall, IP reset and so on? Would it cause a problem if I did it just to be on the safe side? If I was worried about router security the last time round, could I not be under the same threat again (even though I never kept the default password)?

I'll certainly be buying the registered version of MBAM as it has done a fantastic job in finding lots of nasties (and just as importantly, killing them). I'm thinking I may need to buy better anti-virus software as well. I am currently using AVG 8.5 Free but haven't really tried anything else other than sluggish Norton Internet Security. Is there one you would recommend? Just as importantly, is there a firewall you would recommend buying? Are "Internet Suites" that have a firewall and anti-virus by the same developer better than separate ones, due to not needing multiple software engines running, or does it not really matter? ZoneAlarm Pro is supposed to be a good firewall but I always read that their anti-virus software is lacking.

Thanks again.

Link to post
Share on other sites

  • Root Admin

Well the Avira FREE version works quite well I think (no official tests but for me seems to work much better than AVG, YMMV)

ZoneAlarm used to be a great product but now days it's a pig and very problematic.

If you follow along with that big article there are a lot of nice tips and tricks to speed up your PC especially because it's old and needs cleaning, trimming of the fat so to speak.

No, I've never heard of any router attacks that were able to bypass a password as long as it was not an easy one to guess.

For the most part IMHO a lot of this firewall discussion is a bit misleading. The reason I think so is that port scanning or getting Malware onto your box is not going to be stopped by a firewall alone. Having a firewall that you watch and pay attention to might at times show you that something is on your box and is trying to get out and it might stop it. That's good, but a lot of the current Malware comes right onto the box via mail or P2P or Web browsing which a firewall that you can afford isn't going to do much about. Even the multi-thousand dollar Cisco hardware firewalls can't stop a lot of this stuff any better. Then when it gets on your box it often kills the firewall and any Anti-Virus and Anti-Malware software it can find.

So yes it's good to have an inbound/outbound monitoring firewall but it's not the end all fix that some think it is.

The choice for a firewall though has become quite limited these days as many of them are not what they used to be. They've branched out into Anti-Malware and Anti-Virus suites themselves.

This one is supposed to still be pretty good: Online Armor Free

Link to post
Share on other sites

ComboFix has been successfully uninstalled I believe. I did actually get worried at first that it was going to start scanning and cleaning again. Even though I used the /u switch, it was telling me it was about to run and to disable my anti-virus. I didn't disable AVG and instead of clicking the OK button on ComboFix's windows I was trying to close them. It ran anyway without my attempts to close the windows the normal way and appeared to uninstall, despite not switching off AVG or pressing OK.

Is there anything else I need to do at this point? Is it worth running any of the other commands that you posted for my other thread, due to the infection behaving in a similar fashion, such as the following:

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

CMD /C NETSH FIREWALL RESET

CMD /C NETSH int ip reset c:\resetlog.txt

CMD /C IPCONFIG /flushdns

CMD /C arp -d *

CMD /C netstat -a >C:\connections.txt

CMD /C fsutil fsinfo statistics c: >c:\drivestats.txt

As for the firewall, I'll most likely give ZoneAlarm Pro a miss. I'll use Online Armour Free for now but looking at the extra functions provided by the paid version makes me think I should at least buy a firewall to get added protection. ZoneAlarm did get good reviews but if you say it has become bloated then I doubt it will be much more pleasant to use than Norton's offering, which caused my PC to sweat. As you say though, there is only so much they can do. The main virus that got onto my system from the website dropped right in, past AVG's nose and then deliberately switched off XP's firewall. I wouldn't be surprised if it could do that with Norton, McAfee and ZoneAlarm.

Regards.

Link to post
Share on other sites

  • Root Admin

Yep, once they slip in they often don't seem to have an issue shutting off any other program they want to shut off.

It's up to you but probably not really needed to run those, but no harm either. Always good to know what's on your system and how it's running.

Okay I'll close your post then and if you need further assistance please make a new post.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.