Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My computer is in trouble!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: My computer is in trouble!

Unread postby Jlitening » March 12th, 2008, 2:30 am

Hi Dan,
Here are the scan results for the 5 files. The 4th one didn't produce a scan, but I copied the brief text.
Thanks again for everything!

File sryfmzcb.dll received on 03.12.2008 06:37:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 4/32 (12.5%)
Loading server information...
Your file is queued in position: 10.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.12.0 2008.03.12 -
AntiVir 7.6.0.73 2008.03.11 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.11 -
Avast 4.7.1098.0 2008.03.11 -
AVG 7.5.0.516 2008.03.11 -
BitDefender 7.2 2008.03.12 -
CAT-QuickHeal 9.50 2008.03.10 -
ClamAV 0.92.1 2008.03.11 -
DrWeb 4.44.0.09170 2008.03.11 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5607 2008.03.11 -
Ewido 4.0 2008.03.11 -
FileAdvisor 1 2008.03.12 -
Fortinet 3.14.0.0 2008.03.12 -
F-Prot 4.4.2.54 2008.03.11 -
F-Secure 6.70.13260.0 2008.03.12 -
Ikarus T3.1.1.20 2008.03.12 -
Kaspersky 7.0.0.125 2008.03.12 Trojan.Win32.Obfuscated.gx
McAfee 5249 2008.03.11 -
Microsoft 1.3301 2008.03.12 Trojan:Win32/Virtumonde.R
NOD32v2 2939 2008.03.12 -
Norman 5.80.02 2008.03.11 -
Panda 9.0.0.4 2008.03.12 -
Prevx1 V2 2008.03.12 -
Rising 20.35.12.00 2008.03.11 -
Sophos 4.27.0 2008.03.12 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.12 -
TheHacker 6.2.92.243 2008.03.12 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.11 -
Webwasher-Gateway 6.6.2 2008.03.11 Trojan.Crypt.XPACK.Gen
Additional information
File size: 177664 bytes
MD5: 2cb1b88427497a14b836ea8f56f6c5ce
SHA1: 4435eb5ff34b246aeaeb2e49cdce337ad745c7d0
PEiD: -
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX

File mlqpexyz.exe received on 03.12.2008 06:53:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 14/32 (43.75%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.12.0 2008.03.12 -
AntiVir 7.6.0.73 2008.03.11 TR/Crypt.FKM.Gen
Authentium 4.93.8 2008.03.11 -
Avast 4.7.1098.0 2008.03.11 -
AVG 7.5.0.516 2008.03.11 SHeur.AXUS
BitDefender 7.2 2008.03.12 -
CAT-QuickHeal 9.50 2008.03.10 Hoax.Renos.bbw (Not a Virus)
ClamAV 0.92.1 2008.03.11 -
DrWeb 4.44.0.09170 2008.03.11 -
eSafe 7.0.15.0 2008.03.09 suspicious Trojan/Worm
eTrust-Vet 31.3.5607 2008.03.11 -
Ewido 4.0 2008.03.11 -
FileAdvisor 1 2008.03.12 -
Fortinet 3.14.0.0 2008.03.12 -
F-Prot 4.4.2.54 2008.03.11 -
F-Secure 6.70.13260.0 2008.03.12 not-virus:Hoax.Win32.Renos.bbw
Ikarus T3.1.1.20 2008.03.12 Trojan.Crypt.FKM
Kaspersky 7.0.0.125 2008.03.12 not-virus:Hoax.Win32.Renos.bbw
McAfee 5249 2008.03.11 -
Microsoft 1.3301 2008.03.12 TrojanDownloader:Win32/Renos.CR
NOD32v2 2939 2008.03.12 -
Norman 5.80.02 2008.03.11 -
Panda 9.0.0.4 2008.03.12 Adware/SpyAway
Prevx1 V2 2008.03.12 Malware.Sys.Covert
Rising 20.35.12.00 2008.03.11 -
Sophos 4.27.0 2008.03.12 Troj/FakeAle-AR
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.12 Trojan.Fakeavalert
TheHacker 6.2.92.243 2008.03.12 Aplicacion/Renos.bbw
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.11 -
Webwasher-Gateway 6.6.2 2008.03.11 Trojan.Crypt.FKM.Gen
Additional information
File size: 88593 bytes
MD5: 201346bb5eda809d7cc37dcbce70d2ed
SHA1: ca7a0d6cf2b77c584786c21becb3b86d213481b2
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramtext. ... 00DA9D2A65

File cbuxkjan.exe received on 03.12.2008 07:01:14 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 6/32 (18.75%)
Loading server information...
Your file is queued in position: 10.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.12.0 2008.03.12 -
AntiVir 7.6.0.73 2008.03.11 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.11 -
Avast 4.7.1098.0 2008.03.11 -
AVG 7.5.0.516 2008.03.11 -
BitDefender 7.2 2008.03.12 -
CAT-QuickHeal 9.50 2008.03.10 -
ClamAV 0.92.1 2008.03.11 -
DrWeb 4.44.0.09170 2008.03.11 -
eSafe 7.0.15.0 2008.03.09 suspicious Trojan/Worm
eTrust-Vet 31.3.5607 2008.03.11 -
Ewido 4.0 2008.03.11 -
FileAdvisor 1 2008.03.12 -
Fortinet 3.14.0.0 2008.03.12 -
F-Prot 4.4.2.54 2008.03.11 -
F-Secure 6.70.13260.0 2008.03.12 Trojan.Win32.Obfuscated.gx
Ikarus T3.1.1.20 2008.03.12 -
Kaspersky 7.0.0.125 2008.03.12 Trojan.Win32.Obfuscated.gx
McAfee 5249 2008.03.11 -
Microsoft 1.3301 2008.03.12 -
NOD32v2 2939 2008.03.12 -
Norman 5.80.02 2008.03.11 -
Panda 9.0.0.4 2008.03.12 -
Prevx1 V2 2008.03.12 -
Rising 20.35.12.00 2008.03.11 Packer.Win32.Mian007.a
Sophos 4.27.0 2008.03.12 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.12 -
TheHacker 6.2.92.243 2008.03.12 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.11 -
Webwasher-Gateway 6.6.2 2008.03.11 Trojan.Crypt.XPACK.Gen
Additional information
File size: 43008 bytes
MD5: 0f011e63381794be99d8249c45a50997
SHA1: 60f769a358c56ff61a8de642a12cb4110df1f9ba
PEiD: -
packers: UPX
packers: PE_Patch.UPX, UPX


C:\WINDOWS\njuqccse

0 bytes size received / Se ha recibido un archivo vacio


File didduid.ini received on 03.12.2008 07:14:51 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 45 and 65 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.3.12.0 2008.03.12 -
AntiVir 7.6.0.73 2008.03.11 -
Authentium 4.93.8 2008.03.11 -
Avast 4.7.1098.0 2008.03.11 -
AVG 7.5.0.516 2008.03.11 -
BitDefender 7.2 2008.03.12 -
CAT-QuickHeal 9.50 2008.03.10 -
ClamAV 0.92.1 2008.03.11 -
DrWeb 4.44.0.09170 2008.03.11 -
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5607 2008.03.11 -
Ewido 4.0 2008.03.11 -
FileAdvisor 1 2008.03.12 -
Fortinet 3.14.0.0 2008.03.12 -
F-Prot 4.4.2.54 2008.03.11 -
F-Secure 6.70.13260.0 2008.03.12 -
Ikarus T3.1.1.20 2008.03.12 -
Kaspersky 7.0.0.125 2008.03.12 -
McAfee 5249 2008.03.11 -
Microsoft 1.3301 2008.03.12 -
NOD32v2 2939 2008.03.12 -
Norman 5.80.02 2008.03.11 -
Panda 9.0.0.4 2008.03.12 -
Prevx1 V2 2008.03.12 -
Rising 20.35.12.00 2008.03.11 -
Sophos 4.27.0 2008.03.12 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.12 -
TheHacker 6.2.92.243 2008.03.12 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.11 -
Webwasher-Gateway 6.6.2 2008.03.11 -
Additional information
File size: 26368 bytes
MD5: 8ffbf275b6f4ce5151ecf03a6f357621
SHA1: 2edc9bf523bccf8a12b96e431e10c1e05b42dffc
PEiD: -
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm
Advertisement
Register to Remove

Re: My computer is in trouble!

Unread postby dan12 » March 12th, 2008, 5:27 am

Have you decided to keep viewpoint?

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/ ... s-i586.cab

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\sryfmzcb.dll
C:\WINDOWS\mlqpexyz.exe
C:\WINDOWS\cbuxkjan.exe
C:\WINDOWS\didduid.ini
   
    Dir look::
C:\WINDOWS\njuqccse

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Your Java is out of date Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of [URL=http://java.sun.com/javase/downloads/index.jsp] Java Runtime Environment (JRE) 6 Update 5/URL].
  • Scroll down to where it says " Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 13th, 2008, 12:46 am

Hi Dan,

I followed your instructions all the way to rebooting the computer. After the Hijackthis fix, I exited the screen and there was an Active Desktop Recovery/white background but the desktop was still there. I continued with your instructions to download the new java and remove the old version. I got to the point where I rebooted the system and upon restart the desktop icons were gone. I have icons in the tray (AOL, Symantec, Spyware Doctor and Quick Time) but I can't get anything to run via the start button. The only message I got after trying to open AOL via Start was "Windows cannot find '(null)'. Make sure you typed the name correctly and then try again. To search for a file, click the Start button and then click Search." I can open the Start menu, but nothing will come up.

I'm on a second computer right now since I can't get anything to work on the one we were cleaning.

What do I do now?

Thanks......

Rhonda
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 13th, 2008, 5:53 am

Were you able to carry out the cf script I gave you,do you have the cf log?
Are you able to give me a hjt log?
Was everything ok before you started this last set of instruction?
Any information you have regarding any error messages any prompts, what they say, will help a little to try and resove this
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 13th, 2008, 8:34 am

Hi Dan,

After several attempts to restore my active desktop I gave it a rest and tried later. This time I was able to get my desktop recovered upon restart (hard reboot) but decided to reinstall Viewpoint Media Player after a prompt that said "Viewpoint Media Player is used to display content, including Super Buddies and desktop themes.

The computer seemed to be running normally prior to the most recent set of instructions except it was performing slowly.

Here is the most recent log of CFScript - I did run the fix. I need to reinstall Java now, but wanted to post this quickly since my computer is back up.
I also completed the HJT instructions and will post a new one in my next thread.

ComboFix 08-03-09.1 - Doug Allen 2008-03-12 20:40:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.534 [GMT -7:00]
Running from: C:\Documents and Settings\Doug Allen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doug Allen\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\cbuxkjan.exe
C:\WINDOWS\didduid.ini
C:\WINDOWS\mlqpexyz.exe
C:\WINDOWS\sryfmzcb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cbuxkjan.exe
C:\WINDOWS\didduid.ini
C:\WINDOWS\mlqpexyz.exe
C:\WINDOWS\sryfmzcb.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-10 23:17 . 2008-03-10 23:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 23:17 . 2008-03-10 23:17 <DIR> d-------- C:\Documents and Settings\Doug Allen\Application Data\Malwarebytes
2008-03-10 23:17 . 2008-03-10 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 22:59 . 2008-03-10 22:59 <DIR> d-------- C:\Program Files\CCleaner
2008-03-09 20:19 . 2008-03-09 20:19 <DIR> d-------- C:\Program Files\MetaStream
2008-03-08 12:00 . 2008-03-08 12:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 08:56 . 2008-03-08 08:56 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 08:56 . 2008-03-12 07:10 <DIR> d-------- C:\Program Files\stc
2008-03-08 08:41 . 2008-03-08 08:41 <DIR> d-------- C:\WINDOWS\njuqccse
2008-03-08 08:41 . 2008-03-08 08:41 295,819 --a------ C:\WINDOWS\system32\LB4D0.tmp
2008-03-08 08:41 . 2008-03-08 08:41 229,532 --a------ C:\WINDOWS\system32\LA5AD.tmp
2008-02-18 04:51 . 2008-03-12 17:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 04:10 . 2008-03-12 17:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-18 04:10 . 2008-02-18 04:10 <DIR> d-------- C:\Documents and Settings\Doug Allen\Application Data\PC Tools
2008-02-18 04:10 . 2008-02-18 04:11 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-18 04:10 . 2008-02-18 04:11 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-18 04:10 . 2007-10-18 01:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-18 04:10 . 2007-10-18 01:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-18 04:06 . 2005-09-23 09:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-09 22:58 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-09 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-09 02:06 --------- d-----w C:\Program Files\Common Files\aol
2008-02-09 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-03 20:02 --------- d-----w C:\Program Files\The Learning Company
2008-02-03 19:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 19:11 --------- d-----w C:\Program Files\Scholastic
2008-02-03 19:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 05:01 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\Viewpoint
2008-01-18 06:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 04:47 --------- d-----w C:\Program Files\Disney Interactive
2008-01-16 00:35 10,920 ----a-w C:\aolconnfix.exe
2008-01-16 00:35 --------- d-----w C:\Documents and Settings\Doug Allen\Application Data\AOL
.

((((((((((((((((((((((((((((( snapshot@2008-03-11_ 7.31.43.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40 124656]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 13:01 5513216]
"HostManager"="C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe" [2007-05-25 10:16 42032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-04 13:14 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 18:39 32881]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 18:24 1065800]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1199417669\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys [2008-01-03 13:32]

*Newly Created Service* - APPMGMT
*Newly Created Service* - ATWPKT2
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 20:42:32
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 20:43:28
ComboFix-quarantined-files.txt 2008-03-13 03:43:24
ComboFix2.txt 2008-03-11 14:32:17
ComboFix3.txt 2008-03-09 22:54:08
.
2008-03-12 10:01:07 --- E O F ---
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby Jlitening » March 13th, 2008, 8:37 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:34 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\update.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199417669\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6189 bytes
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 13th, 2008, 8:55 am

Ok, looking good will await the log :D
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 13th, 2008, 11:05 pm

Hi Dan,

Both the HJT and CFScript logs are posted above. Is there anything else I should do?

I ran a Spyware Doctor scan and it came up clean! Should I run other Antispyware programs to avoid this in the future?

Thanks,

Rhonda/Jlitening
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 14th, 2008, 3:01 am

Hi,Jlitening,

Both the HJT and CFScript logs are posted above
must of been having a blonde moment!! :?

UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.



Close all windows and try typing this command directly in and see if ComboFix runs.

Remember to use the " marks and there is a space between exe" and /killall

Start > Run > type "%userprofile%\desktop\combofix.exe" /killall

If ComboFix runs, please post the log.

let me know when you done this.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Jlitening » March 15th, 2008, 12:26 am

Hello Dan,

ComboFix has successfully been uninstalled. It did not run when the command was typed in the run box.

Rhonda
Jlitening
Active Member
 
Posts: 14
Joined: March 8th, 2008, 7:44 pm

Re: My computer is in trouble!

Unread postby dan12 » March 15th, 2008, 6:16 am

Well done! hope all is well.

Congratulations you are clean! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here
Find here changes from older version 1.4 here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!

Dan :D
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby dan12 » March 17th, 2008, 5:10 pm

Edit posted in error!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: My computer is in trouble!

Unread postby Gary R » March 17th, 2008, 6:59 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware