Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Malware.j

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: New Malware.j

Unread postby vasa129 » March 25th, 2008, 8:03 pm

news keep getting worse... I have been unable to use my task manager since this issue started. Every time I get an error that says
"task manager has been disabled my your administrator"
:oops:
vasa129
Regular Member
 
Posts: 22
Joined: March 23rd, 2008, 9:57 am
Advertisement
Register to Remove

Re: New Malware.j

Unread postby dan12 » March 25th, 2008, 8:26 pm

As were having a few problems I'd like to check a couple of things out which could help us.
ok, so lets leave the post we were having problems with, we will come back to it.

Download and Install CCleaner
  • Download CCleaner from here . Choose the Slim version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish

-------------------------------

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

----------------------------------

Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

-------------------------------

  • Download a diagnostic tool (MGADiag.exe) from >here< and save this to your Desktop.
  • Double-click on MGADiag.exe.
  • When the program has finished, click on the Validation tab and then click on Copy to Clipboard
  • Please post the results in your next reply

Please include in your next post:
  • uninstall list
  • diagnostic report

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby vasa129 » March 26th, 2008, 9:00 pm

Hi Dan

I ran CCleaner - here is that list

ABBYY FineReader 6.0 Sprint
Adobe Acrobat 4.0, 5.0
Adobe Flash Player ActiveX
Adobe Shockwave Player
Advanced Drawing
ArcSoft Camera Suite 1.3
Atomic Pop
Bat
BlasterBall Wild
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
ClickArt® 10,000 Image Pack
ClickArt® Gallery
Comcast Toolbar
Creative PC-CAM Center Lite
Creative WebCam Monitor
Creative WebCam NX Driver (1.02.01.0827)
Creative WebCam NX User's Guide (English)
DarkOrbit
Detto Migration Kit
Easy Internet Sign-up
GE 97769 Dual Scroll Optical Mouse
GemMaster
HijackThis 2.0.2
hp center
HP Instant Support
HP Photo Printing Software
HP RecordNow
Inactive HP Printer Drivers (Remove only)
Inactive HP ScanJet Drivers (Remove only)
KazooStudio
KBD
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark 5400 Series
Lexmark Fax Solutions
Lexmark Toolbar
McAfee SecurityCenter
Microsoft Money 2001
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Works 6.0
Microsoft Works and Money 2001 Setup Launcher
MovieEdit Task
MUSICMATCH Jukebox
My Photo Center
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PhotoStitch
PigPen
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickTime
RAW Image Task 1.1
RemoteCapture Task 1.0.3
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
SabreWing 2
Solitaire Master
Solitaire Master Game
Speedway
Tcl 8.0.5 for Windows
War Games Virtual Warfare Demo
WebFldrs XP
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
Works Suite OS Pack
Zuma Deluxe 1.0

I downloaded MGDiag - but when I click onit to run, there is no validation tab, in fact it says "validation control not installed"
vasa129
Regular Member
 
Posts: 22
Joined: March 23rd, 2008, 9:57 am

Re: New Malware.j

Unread postby dan12 » March 27th, 2008, 5:39 am

Not forgot you, hope to be back with you later. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby dan12 » March 27th, 2008, 8:32 pm

ok, can we try to run the diagnostic tool again as I've looked at this point you raised.
Double click on the program icon. Select "Continue." Next, the Windows tab should open with a report in it. Select the "Copy" button. Open Notepad and paste the contents of the clipboard into a Notepad text file and save it to your Desktop. Paste the contents of that text file into a reply in this topic.
If this fails we need to get a service pack1 on this machine as it is sadly lacking.Otherwise we will be going round chasing our tails.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby vasa129 » March 27th, 2008, 9:01 pm

hi dan

here is the report

Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.0.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {4D737231-E6A9-41E3-B371-59DCD8E02143}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{4D737231-E6A9-41E3-B371-59DCD8E02143}</UGUID><Version>1.7.0069.0</Version><OS>5.1.2600.2.00010300.0.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-1567011825-1376643981-488748980</SID><SYSTEM><Manufacturer>HP Pavilion 04</Manufacturer><Model>P6370A-ABA 7936</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>3.08 </Version><SMBIOSVersion major="2" minor="31"/><Date>20010831******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>47493A0F01842049</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57010</Pid><PidType>14</PidType></Product><Product GUID="{90170409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office FrontPage 2003</Name><Ver>11</Ver><Val>5EA9C3672EB0500</Val><Hash>GZD+9sfb5ecL3RxyV4F75a86u2M=</Hash><Pid>72079-640-0000106-55464</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>
vasa129
Regular Member
 
Posts: 22
Joined: March 23rd, 2008, 9:57 am

Re: New Malware.j

Unread postby dan12 » March 27th, 2008, 9:29 pm

Let's get sp1a installed then look at what we have.

please download and install XP SP1a.

Select the language of your operating system and click Go to download it.

Restart the computer for changes to take effect.

Please post back a new HijackThis log after installing XP SP1a.

If you have problems downloading and installing, please let me know.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby vasa129 » March 28th, 2008, 8:10 pm

Hi Dan

Ok, XP SP1 is downloaded.

Here is the new hijackthis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:07 PM, on 3/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/oneclickfix/tgctlsr.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://playgames.comcast.net/online2/pi ... 0.0.32.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://playgames.comcast.net/online2/go ... dfever.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8135 bytes
vasa129
Regular Member
 
Posts: 22
Joined: March 23rd, 2008, 9:57 am

Re: New Malware.j

Unread postby dan12 » March 28th, 2008, 10:22 pm

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby vasa129 » March 29th, 2008, 7:31 pm

Hi Dan

Here is the

ComboFix Report

ComboFix 08-03-29.1 - Owner 2008-03-29 16:38:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.76 [GMT -5:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
VFind -tf -d+2007 -s282624 "C:\Program Files\????????*[0-9].dll"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\tmp12.tmp
C:\WINDOWS\system32\tmp13.tmp
C:\WINDOWS\system32\tmp16.tmp
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-28 19:12 . 2008-03-28 19:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-28 18:55 . 2008-03-28 18:55 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-28 18:55 . 2008-03-28 18:55 <DIR> d-------- C:\WINDOWS\ehome
2008-03-28 18:37 . 2002-08-29 05:39 1,998,848 --a------ C:\WINDOWS\SYSTEM32\wmploc.dll
2008-03-28 18:36 . 2002-08-29 05:41 674,816 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2008-03-28 18:34 . 2002-08-29 05:41 3,494,303 --------- C:\WINDOWS\SYSTEM32\nv4_disp.dll
2008-03-28 18:33 . 2002-08-29 05:41 1,622,528 --a------ C:\WINDOWS\SYSTEM32\netshell.dll
2008-03-28 18:31 . 2002-04-22 20:18 766,934 --a------ C:\WINDOWS\SYSTEM32\instcat.sql
2008-03-28 18:30 . 2002-08-29 05:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-03-28 18:28 . 2002-08-29 05:41 578,560 --a------ C:\WINDOWS\SYSTEM32\appwiz.cpl
2008-03-28 18:19 . 2004-08-04 00:31 169,984 --a------ C:\WINDOWS\SYSTEM32\sccbase.dll
2008-03-28 18:19 . 2004-07-17 13:34 67,866 --------- C:\WINDOWS\SYSTEM32\drivers\netwlan5.img
2008-03-28 18:19 . 2004-07-17 13:48 66,082 --------- C:\WINDOWS\SYSTEM32\c_28603.nls
2008-03-28 18:19 . 2004-08-04 00:46 42,537 --a------ C:\WINDOWS\SYSTEM32\keyboard.sys
2008-03-28 18:19 . 2004-08-04 00:22 929 --a------ C:\WINDOWS\SYSTEM32\homepage.inf
2008-03-26 20:53 . 2008-03-26 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-26 20:32 . 2008-03-26 20:32 <DIR> d-------- C:\Program Files\CCleaner
2008-03-24 21:04 . 2008-03-24 21:04 <DIR> d-------- C:\_OTMoveIt
2008-03-24 19:00 . 2008-03-24 19:08 212 --a------ C:\delete.bat
2008-03-23 20:18 . 2008-03-23 20:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-23 20:03 . 2008-03-23 20:55 <DIR> d-------- C:\SDFix
2008-03-23 09:05 . 2008-03-23 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 08:22 . 2008-03-23 08:22 <DIR> d-------- C:\Program Files\stc
2008-03-23 08:21 . 2008-03-23 08:21 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-23 08:21 . 2008-03-23 08:21 <DIR> d-------- C:\Program Files\zango
2008-03-23 08:21 . 2008-03-23 08:21 <DIR> d-------- C:\Program Files\180solutions
2008-03-23 08:21 . 2008-03-23 08:21 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-23 08:21 . 2008-03-23 08:22 <DIR> d-------- C:\Program Files\180search assistant
2008-03-23 08:21 . 2008-03-23 08:21 19,712 --a------ C:\WINDOWS\SYSTEM32\SIPSPI32.dll
2008-03-23 08:21 . 2008-03-23 08:21 19,712 --a------ C:\WINDOWS\didduid.ini
2008-03-23 07:41 . 2006-12-20 12:40 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-23 07:41 . 2006-12-20 12:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-03-23 07:23 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-03-23 07:11 . 2008-03-23 07:46 3,216 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-23 07:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-03-23 07:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-03-23 07:09 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-03-23 07:09 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-03-23 07:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-03-23 07:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-03-22 20:05 . 2008-03-22 20:05 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-22 17:20 . 2008-03-22 17:20 64,512 --a------ C:\Documents and Settings\All Users\Application Data\jmjczmzg.dll
2008-03-22 17:20 . 2008-03-22 17:20 21,248 --a------ C:\WINDOWS\shdocpl.dll
2008-03-22 17:20 . 2008-03-22 17:20 19,200 --a------ C:\WINDOWS\SYSTEM32\shdocpe.dll
2008-03-22 17:20 . 2008-03-22 17:20 18,944 --a------ C:\WINDOWS\msa64chk.dll
2008-03-22 17:20 . 2008-03-22 17:20 18,944 --a------ C:\WINDOWS\123messenger.per
2008-03-22 17:20 . 2008-03-22 17:20 18,432 --a------ C:\WINDOWS\SYSTEM32\ntnut32.exe
2008-03-22 17:20 . 2008-03-22 17:20 15,872 --a------ C:\WINDOWS\ntnut.exe
2008-03-22 17:20 . 2008-03-22 17:20 13,824 --a------ C:\WINDOWS\shdocpe.dll
2008-03-22 17:20 . 2008-03-22 17:20 9,216 --a------ C:\WINDOWS\SYSTEM32\MSNSA32.dll
2008-03-22 17:20 . 2008-03-22 17:20 8,704 --a------ C:\WINDOWS\msapasrc.dll
2008-03-22 17:19 . 2008-03-22 17:19 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-22 17:19 . 2008-03-22 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-22 17:16 . 2008-03-22 17:16 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-03-22 17:16 . 2008-03-22 18:07 <DIR> d-------- C:\Program Files\Chill
2008-03-22 17:15 . 2008-03-23 09:41 <DIR> d-------- C:\Program Files\Bat
2008-03-05 13:43 . 2008-03-05 13:43 229,532 --ah----- C:\WINDOWS\SYSTEM32\BIT71.tmp
2008-03-02 16:42 . 2008-03-24 07:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 16:42 . 2008-03-02 16:42 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 13:25 --------- d-----w C:\Program Files\Lx_cats
2008-03-25 01:42 --------- d-----w C:\Program Files\GamesBar
2008-03-25 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2008-03-23 00:53 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe
2008-03-22 23:06 --------- d-----w C:\Program Files\Comcast Play Games
2008-03-22 22:45 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-22 22:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 01:04 --------- d-----w C:\Program Files\McAfee
2008-02-06 14:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-28 23:33 --------- d-----w C:\Program Files\View22
2008-01-28 02:25 --------- d-----w C:\Program Files\Lexmark 5400 Series
2008-01-28 02:25 --------- d-----w C:\Documents and Settings\Vinnie\Application Data\5400 Series
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2001-08-18 05:36 46,592 --sh--w C:\WINDOWS\twain_32.dll
2001-08-18 05:36 995,383 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll
2001-08-18 05:36 50,688 --sh--w C:\WINDOWS\SYSTEM32\msvcirt.dll
2002-08-29 10:41 401,462 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2002-08-29 10:41 323,072 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2001-08-18 05:36 9,728 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-15 19:25 28739]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 11:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 16:56 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 17:34 212992]
"NvCplDaemon"="NvQTwk" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 19:25 143360]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 18:36 90112]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 16:13 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-03 19:35 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 08:36 299008]
"WheelMouse"="Amoumain.exe" []
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2007-01-11 12:57 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-07-10 21:30 294912]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-06-07 01:05 98304]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 10:09 106496]


.
Contents of the 'Scheduled Tasks' folder
"2006-12-20 18:16:06 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2006-12-20 18:16:06 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-11-15 07:08:46 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:22 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2006-12-20 18:16:04 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2006-12-20 18:16:04 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2006-12-20 18:16:05 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 16:44:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-29 16:53:04
ComboFix-quarantined-files.txt 2008-03-29 21:52:54
Pre-Run: 25,793,454,080 bytes free
Post-Run: 25,779,306,496 bytes free

And here is the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:06 PM, on 3/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lxctcoms.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/oneclickfix/tgctlsr.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://playgames.comcast.net/online2/pi ... 0.0.32.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://playgames.comcast.net/online2/go ... dfever.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7123 bytes


Thanks
Anna
vasa129
Regular Member
 
Posts: 22
Joined: March 23rd, 2008, 9:57 am

Re: New Malware.j

Unread postby dan12 » March 29th, 2008, 7:48 pm

Hi, Anna, for the next time we run cf.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


will be back with you when I've gone through your logs, at least were moving on now. :D
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby dan12 » March 30th, 2008, 6:46 am

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
  File::
C:\WINDOWS\SYSTEM32\SIPSPI32.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\SYSTEM32\VACFix.exe
C:\WINDOWS\SYSTEM32\IEDFix.exe
C:\WINDOWS\SYSTEM32\dumphive.exe
C:\WINDOWS\SYSTEM32\WS2Fix.exe
C:\WINDOWS\McAfee.com
C:\Documents and Settings\All Users\Application Data\jmjczmzg.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\SYSTEM32\shdocpe.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\123messenger.per
C:\WINDOWS\SYSTEM32\ntnut32.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\SYSTEM32\MSNSA32.dll
C:\WINDOWS\msapasrc.dll
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\SYSTEM32\BIT71.tmp
C:\Documents and Settings\All Users\Application Data\GamesBar

Folder::
C:\Program Files\180searchassistant
C:\Program Files\Bat
C:\Program Files\GamesBar
C:\Program Files\Sysmnt
C:\Program Files\Common Files\Oberon Media
C:\delete.bat
C:\SDFix
C:\Program Files\stc
C:\WINDOWS\FLEOK
C:\Program Files\zango

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-
"WheelMouse"=-


    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include in your next post:
  • Combofix log txt
  • Kaspersky scan log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: New Malware.j

Unread postby vasa129 » April 5th, 2008, 8:32 am

Hi Dan

Sorry it's been a few days - I've been sick. I will get these run and posted today

Thanks
vasa129
Regular Member
 
Posts: 22
Joined: March 23rd, 2008, 9:57 am

Re: New Malware.j

Unread postby askey127 » April 20th, 2008, 5:25 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us to reopen this topic if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware