Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help needed please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help needed please

Unread postby dougdepell » October 31st, 2008, 12:35 pm

Logfile of HijackThis v1.99.1
Scan saved at 12:26:44 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O1 - Hosts: dõ×Úÿ
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: getsn32.msiesn - {32FD16DC-537C-4186-9BD6-C718A308342B} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GetModule25] C:\Program Files\GetModule\GetModule25.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @Home - {33D20900-DDF1-11D9-A7DC-0800460222F0} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5074084122
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
dougdepell
Active Member
 
Posts: 5
Joined: October 31st, 2008, 12:19 pm
Advertisement
Register to Remove

Re: help needed please

Unread postby Sharagoz » October 31st, 2008, 5:00 pm

Hello dougdepell, welcome to MWR
Please take note of the following before we begin the cleaning process:
  • The whole process will often take several days to complete, so please stay patient
  • Hang in there until I give you the 'All clean'. If you leave prematurely because your computer seems to be back to its old self, the risk of re-infection will be very high
  • Perform all actions in the order given
  • The instructions I give expect that you're using an account with administrator privileges and that the language of your operating system is English.
  • Dont be afraid to ask questions if something is unclear or if you run into issues during cleaning steps
  • I recommend you read through each set of instructions before you actually perform them

1) Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Include this log in your next reply

2) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log should open in Notepad
  • Include this log in your next reply
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: help needed please

Unread postby dougdepell » October 31st, 2008, 10:09 pm

Thanks for getting back to me so quickly. A brief description of the problems I'm aware of: "Task Manager has been disabled by Admininstrator" - Not able to access Task Manager.
A few different types of popups claiming that a virus have been detected on my system.
Desktop background appearance was changed to a "default" in control panel display that I am unable to change.

Here is the Uninstall list:

Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Aureal Vortex A3D Demos
Aureal Vortex AU8830
CCleaner (remove only)
Comcast High-Speed Internet Install Wizard
Comcast Toolbar
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - hp officejet 4100 series
Intel(R) PRO Ethernet Adapter and Software
Java(TM) 6 Update 3
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
Linksys Updater
Macromedia Shockwave Player
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Word 2000
MouseWare
NetDiag
NVIDIA Windows 95/98 Display Drivers
OpenOffice.org 2.3
QuickTime
RealPlayer
Registry Easy v4.7
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Smart Connect 2.2
Smart Shared Library
Spybot - Search & Destroy
Turbo Lister
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB951072-v2)
WebEx
Windows XP Uninstall


Here is the new Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:26 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\update\update.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O1 - Hosts: dõ×Úÿ
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: getsn32.msiesn - {32FD16DC-537C-4186-9BD6-C718A308342B} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GetModule25] C:\Program Files\GetModule\GetModule25.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @Home - {33D20900-DDF1-11D9-A7DC-0800460222F0} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5074084122
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
dougdepell
Active Member
 
Posts: 5
Joined: October 31st, 2008, 12:19 pm

Re: help needed please

Unread postby Sharagoz » November 3rd, 2008, 9:16 am

Hi
Sorry for the delay with the response.
As Im only an undergrad at this Uni I need to have all my fixes approved by a teacher before they can be posted.
The teachers are pretty swamped right now, so that's the reason for the delay.
You're not forgotten though and as soon as a teacher gets a free slot we'll be on our way to a clean computer.

-S
Last edited by Sharagoz on November 3rd, 2008, 12:48 pm, edited 1 time in total.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: help needed please

Unread postby Sharagoz » November 3rd, 2008, 12:47 pm

You need to temporarily disable Ad-aware's ad-watch and Spybots teatimer before running this procedure.

Temporarily disable TeaTimer:
  • Start Spybot, click Mode and select Advanced Mode.
  • Select Tools (bottom left) and click the Resident button.
  • Now in the right window pane, uncheck Resident "TeaTimer".
Note:
TeaTimer can be a resource hog, so I advice to leave it permanetly disabled. However, this is of course up to you.

Temporarily disable Ad-Aware Ad-Watch
Right click on the Ad-Watch icon in the system tray
At the bottom of the screen, uncheck both Active... and Automatic...

1) Download and run SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive% (the drive that contains the Windows Directory, typically C:\SDFix)
  • Reboot your computer into Safe Mode by by following this guide.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press a key and it will restart the PC into normal mode.
  • When the PC restarts the Fixtool will run again and complete the removal process and then display Finished. Press a key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Include the contents of Report.txt in your next post

2) Download and Run Malwarebytes Anti-Malware
  • Download Malwarebytes' Anti-Malware and install the program
  • At the end, make sure a checkmark is placed next to:
    o Update Malwarebytes' Anti-Malware
    o Launch Malwarebytes' Anti-Malware
  • Click Finish
  • If an update is found, it will download and install the latest version
  • Once the program has loaded, click Check for updates
  • Click select Perform full scan, then click Scan to start scanning
  • When the scan is complete, click OK, then Show Results to view the results
  • Make sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Include this log in your next reply
Note:
If you for some reason lose the log, it can be retrieved manually from this location:
C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

You can enable Ad-watch and TeaTimer again now.

3) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log should open in Notepad
  • Include this log in your next reply

Logs I need:
C:\SDfix\report.txt
MBAM log
New HJT log

How is your computer running now?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: help needed please

Unread postby dougdepell » November 4th, 2008, 1:07 am

The directions were easy to follow and the Computer seems to be running great!
Here are the logs you requested:

SDFIX Report:

SDFix: Version 1.239
Run by Doug DePellegrini on Mon 11/03/2008 at 10:05 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Resetting SecurityProviders Value

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Doug DePellegrini\Application Data\Gool\Gool.exe - Deleted
C:\Program Files\Mjcore\Mjcore.dll - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\hosts - Deleted
C:\WINDOWS\system32\getsn32.dll - Deleted
C:\WINDOWS\system32\msansspc.dll - Deleted


Could Not Remove C:\WINDOWS\system32\smwin32.dll

Folder C:\Documents and Settings\Doug DePellegrini\Application Data\Facegame - Removed
Folder C:\Documents and Settings\Doug DePellegrini\Application Data\Gool - Removed
Folder C:\Program Files\Mjcore - Removed
Folder C:\Program Files\Webtools - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 22:25:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\default.htm Found
C:\WINDOWS\system32\smwin32.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 23 Apr 1999 129,078 ..SH. --- "C:\LOGO.SYS"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 15 Sep 2005 4,348 ..SH. --- "C:\WINDOWS\All Users\DRM\DRMv1.bak"
Wed 2 Nov 2005 43,520 A..H. --- "C:\Documents and Settings\Doug DePellegrini\My Documents\~WRL0004.TMP"
Tue 8 Nov 2005 41,984 A..H. --- "C:\Documents and Settings\Doug DePellegrini\My Documents\~WRL1088.TMP"
Mon 7 Nov 2005 45,056 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL0005.TMP"
Mon 7 Nov 2005 45,056 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL4008.TMP"
Mon 7 Nov 2005 45,568 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL2105.TMP"
Mon 7 Nov 2005 45,056 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL1014.TMP"
Mon 7 Nov 2005 45,056 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL3486.TMP"
Mon 7 Nov 2005 44,032 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL3392.TMP"
Mon 7 Nov 2005 46,080 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL4083.TMP"
Mon 7 Nov 2005 45,568 A..H. --- "C:\Documents and Settings\Doug DePellegrini\Application Data\Microsoft\Word\~WRL2758.TMP"

Finished!

MBAM log:

Malwarebytes' Anti-Malware 1.30
Database version: 1361
Windows 5.1.2600 Service Pack 2

11/3/2008 11:34:30 PM
mbam-log-2008-11-03 (23-34-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94853
Time elapsed: 59 minute(s), 54 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 4
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\uesiuqcr.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\smwin32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{27861bda-a645-491d-8599-dcab5969dc34} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4cf05127-d66d-4125-b2d9-15909b83842a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{475a8380-dc57-448b-8d9f-5600df0a8476} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32fd16dc-537c-4186-9bd6-c718a308342b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32fd16dc-537c-4186-9bd6-c718a308342b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\REAL\WEATHERBUG\MINIBUGTRANSPORTER.DLL (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\iWon (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache (Adware.iWon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\uesiuqcr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\PROGRAM FILES\COMMON FILES\Real\WEATHERBUG\MINIBUGTRANSPORTER.DLL (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908432.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\7-v3av.exe (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908718.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908415.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908884.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908684.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908406.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908981.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\__25.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\KB908822.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\files.ini (Adware.iWon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\smwin32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\TDSS8771.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Doug DePellegrini\Local Settings\Temp\TDSS887f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:01 AM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @Home - {33D20900-DDF1-11D9-A7DC-0800460222F0} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5074084122
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
dougdepell
Active Member
 
Posts: 5
Joined: October 31st, 2008, 12:19 pm

Re: help needed please

Unread postby Sharagoz » November 4th, 2008, 2:47 pm

The directions were easy to follow and the Computer seems to be running great!

Thats good!
Your logs are looking much better too, but there are still some things we need to take care of.

You need to temporarily disable Ad-watch again before running these steps.

1) Upload a file to VirusTotal
  • Go to virustotal.com
  • Click Browse and copy the filepath from the codebox below into the File name box and click Open
    Code: Select all
    C:\WINDOWS\java.exe
  • Click the Send file button to start the scan
  • When the status changes to finished, click the Compact link
  • Copy everything from the windows that pops up into your next reply
    (You may want to temporarily save this in a notepad document until the rest of the steps are done)

2) Fix bad entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a checkmark next to the below lines if they are listed

    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis

3) Download and run CCleaner
I noticed you have CCleaner installed already. If this is the latest version (2.13) you can skip the downloading step and go straight to cleaning.
If not, uninstall your current version before downloading the latest one.
  • Download CCleaner from this page (click on one of the links in the section "Free Download From")
  • Install and launch CCleaner
  • Click the Options button and select Advanced
  • Uncheck the option "Only delete files in Windows Temp folders older than 48 hours"
  • Click the Cleaner button
  • If you wish to avoid being logged out of all websites you're currently logged into, make sure Cookies are unchecked for the web browser(s) you use. Internet Explorer are located under the Windows tab, other browsers are located under the Applications tab
  • Click the Run Cleaner button at the bottom right of the window
  • Click Yes at the prompt and let the cleaner finish
Note:
If there are more than one user account on this computer, run CCleaner using this procedure on all other user accounts as well

4) Download and run SUPERAntiSpyware
  • Download SAS from here (use the link 'from authors site'), and install the program using default settings
  • When prompted about installing updates, click Yes
  • You can skip email registration and homepage protection
  • The program should auto-start after the installation. If it doesnt, there's will be a shortcut on your desktop that you can use to launch it manually
  • In the main window click Preferences to launch the configuration window
  • Under the General and Startup tab uncheck Start SUPERAntiSpyware when windows starts
  • Under the Scanning Control tab, uncheck everything except:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining
    o Scan alternate data streams
  • Click the Close button and return to the main window
  • Click the Scan your Computer button
  • Select Perform complete scan, make sure the necessary drives are selected, and click the Next button
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK
  • Make sure everything has a checkmark next to it and click Next
  • A notification will appear saying Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
  • Now we need to retrieve the log
  • In the main window, Click Preferences, then click the Statistics/Logs tab
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor
  • Include this log in your next post

Ad-watch can be enabled again after this step.

Registry Easy
You have Registry Easy installed.
Emsisoft, a well known developer of anti-malware products, flags this as adware and claims it displays missleading scan results.
Unless you have the paid version of Registry Easy I recommend you uninstall it.
If you wish to run a registry cleaner from time to time I recommend you use the one built into CCleaner, which have a better reputation.

5) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log should open in Notepad
  • Include this log in your next reply

Logs I need:
VirusTotal results
SUPERAntiSpyware log
New HJT log
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: help needed please

Unread postby dougdepell » November 4th, 2008, 11:51 pm

Here are the latest results..

VirusTotal Results:

File has already been analysed:
MD5: 08996dd4135eedcb346bc4ad97b88a72
First received: -
Date: 11.02.2008 19:38:17 (CET) [>2D]
Results: 0/36
Permalink: analisis/1132b232ee23c37191e6b54bed135442


SUPERAntiSpyware Scan Log:

http://www.superantispyware.com

Generated 11/04/2008 at 10:41 PM

Application Version : 4.21.1004

Core Rules Database Version : 3623
Trace Rules Database Version: 1607

Scan type : Complete Scan
Total Scan Time : 02:27:11

Memory items scanned : 371
Memory threats detected : 0
Registry items scanned : 4553
Registry threats detected : 0
File items scanned : 57729
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings.000\Karen Giesy\Cookies\karen giesy@2o7[2].txt
C:\Documents and Settings.000\Karen Giesy\Cookies\karen giesy@tacoda[2].txt
C:\Documents and Settings.000\Karen Giesy\Cookies\karen giesy@adopt.specificclick[1].txt
C:\Documents and Settings.000\Karen Giesy\Cookies\karen giesy@specificclick[1].txt
C:\Documents and Settings.000\Karen Giesy\Cookies\karen giesy@questionmarket[2].txt

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:22 PM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @Home - {33D20900-DDF1-11D9-A7DC-0800460222F0} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5074084122
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
dougdepell
Active Member
 
Posts: 5
Joined: October 31st, 2008, 12:19 pm

Re: help needed please

Unread postby Sharagoz » November 5th, 2008, 2:52 pm

Your logs are clean, well done!
Unless you have discovered more problems its time to do the final steps.

1) Cleaning up after the removal procedures
  • 1.1) Uninstall through Add/Remove Programs
    • Press the windows key and the R key at the same time
      (The windows key is usually located two to the left of the space bar and is labeled with a windows logo)
    • A dialog box will Open. Type appwiz.cpl and press enter
    • This will take you to Add/Remove Programs
      (Optionally you can locate Add/Remove Programs through the control panel)
    • Locate and uninstall the below programs unless you want to keep some of them for future usage:
      Malwarebytes' Anti-Malware
      SUPERAntiSpyware
    • You uninstall by selecting the program and then clicking the button labeled Remove or Uninstall
  • 1.2) Other deletions
    • sdfix.zip (desktop)
      C:\SDfix
    • Delete any other logs that remain on your desktop.
    1.3) Flush system restore
    • Right click on My Computer
    • Select Properties
    • Click the System Restore tab and check "Turn Off System Restore on all Drives"
    • Click OK at the prompt and restart your computer
    • After the computer has restarted, find the System Restore tab again the same way you did before
    • Uncheck "Turn Off System Restore on all Drives"
    • Click Apply. System Restore will now be enabled again, and a new restore point will be created.
    • When the process is done, the Status field will change to Monitoring. Click OK to exit.

2) Take measures to prevent your computer from being infected again
    Below I'm quoting a tutorial I've written which I post to everybody I help here at MWR.
    It covers the key parts of the software side of computer security. What steps you take or dont take to increase your own computers security is of course up to you.
    In purple I have added some comments that apply spesifically to your computer.
    The tutorial will take a little while to get through, but I hope you find it to be worth your time.
    If you have any questions beyond this, feel free to ask.

  • 2.1) Windows updates
    This is the most important security measure. With an unpatched operating system you will be defenseless even with top-notch security software.
    Malware often exploit security holes in your operating system to install itself, and keeping your OS up to date at all times will make sure this risk is at a minimum.
    Visit http://update.microsoft.com/ using Internet Explorer, and get all critical updates.
    You may have to repeat the update procedure several times before you get all updates. Repeat it until there are no more critical updates showing as missing.
    Also, I recommend you turn on automatic updates if you havent already.

  • 2.2) Immunization software
    These security measures does not do any realtime scanning. All they do is block sites that hosts malware, sites that advertises for malware, malicious ActiveX objects, malicious browser helpers, and cookies that have been identified as bad.
    These protection measures have proven very effected against "internet related" threats and require virtually no computer resources.
    - MVP hosts
      Blocks rougly 25k online domains that hosts or advertises for malware.
      Will significantly reduce the chance of getting in trouble by accidently visiting the wrong page.
    • Download hosts.zip from here
    • Extract the content to your desktop.
    • Copy the file called "HOSTS" to the folder C:\windows\system32\drivers\etc
    • And say "yes" to overwriting the existing file
    • Delete the installation files from your desktop
    Notes:
    If you have previously added custom entries to your own hosts file, these will have to be re-added after the new hosts file is installed.
    The MVP hosts file should be downloaded and re-installed every now and then to keep it up to date.
    If you install MVP Hosts you should disable a service called "DNS client".
    If you dont, your browser(s) will use 10-60 seconds longer to start than what you are used to.
    Disabling this service will have no side-effects. Its purpose is to put domains in cache, but there is no noticeable increase in browsing speed.
    To disable the "DNS Client" service, do the following:
    • Press the windows key and the R key at the same time to open the run dialog box
      (the windows key is usually located to the left of the space bar and is labeled with a windows logo).
    • Type in "services.msc" (without the quotes) and press enter.
    • Right-click on "DNS client" and chose "Stop".
    • After the service has stopped, right-click on it again, chose "Properties" and set "startup type" to "disabled, press "Apply" and "OK".

    - Javacool Spywareblaster
      Multi-purpose blocker of activeX objects, browser helpers and unwanted cookies.
    • Download Spywareblaster from here and install it using default settings
    • Launch Spywareblaster
    • Click "manual updating" (automatic require a subscription)
    • Click "updates"->"check for updates"
    • When the updates are finished downloading, click "protection status" -> "enable all protection"
    Note:
    The last two steps should be repeated from time to time to keep the protection up to date.

    - Spybot immunization
      Multi-purpose blocker of domains, activeX objects, browsers helpers and unwanted cookies.
      Installation step removed as you have Spybot installed already
    • Launch Spybot
    • Click "update" -> "check for updates" and install all available updates.
    • Click "Immunize" in the left menu and then "immunize" in the right-hand window to enable the protection. (this may take a couple of minutes to finish)
    Note:
    The last two steps should be repeated from time to time to keep the protection up to date.

    After immunization you will start to notice that on some pages advertisements are not displayed, instead it shows an icon indicating that an image couldnt be loaded.
    The reason for this is that the immunization is blocking the site that are hosting the ads because it has been found to advertise for malicious software.
    If you try to enter a website that is being blocked, the browser will simply say "the webpage could not be displayed".

    2.3) Real-time protection
    These security measures work in real time and scans computer activty as it is happening (anti-virus/anti-malware scans a file before it allows it to be opened, a firewall controls network traffic and blocks it unless you have allowed it to happen).
    This requires a lot of system resources, so what we are looking for is applications with good detection rate, low resource usage, that dont cause problems for legitimate applications.
    These are my recommendations.
    - Anti-virus
      Anti-virus software are ment to detect files infected with viruses and to detect worms, but also have anti-spy/adware capabilities.
      Here are three good, free alternatives (only free for non-comercial use).
    • Avira AntiVir
    • Alwil Avast
    • AVG Anti-virus
    Note:
    Never have more than one Anti-virus application installed. Installing a second one is likely to cause conflicts between the two and apart from making your system unstable it will reduce your security rather than increase it.
    As you have Kaspersky installed, a paid for AV, you do not need to increase your AV security

    - Anti-malware
      These applications are ment to supplement your antivirus as they are aimed spesifically at detecting malicious programs.
      This can be displaying advertising (adware), track your internet surfing (spyware), give other people control over your computer (backdoors) and the likes.
      Unfortuntly, in the anti-malware department there arent any great free alternatives like there are in the anti-virus department.
      If you want an anti-malware application worth using you'll need to purchase one. Here are three good alternatives:
    • Malwarebytes' Anti-Malware
    • A-squared Anti-Malware (can be tried for 30 days for free)
    • SUPERAntiSpyware (can be tried for 14 days for free)
    Note:
    You can have more than one of these running at the same time, but I don't recommend it because it only gives a small increase in security while a big increase in usage of system resources.
    If you chose to get one of these Anti-Malware applications, you should uninstall Ad-Aware to free up some system resources

    - 3rd party Firewall
      Modern operating systems and routers have firewalls built into them that control incoming traffic so the only reason to install a 3rd party firewall is to control outgoing traffic.
      Firewalls are different than other security software as you need to learn how to use it. An antivirus application for instance you usually just install and then it runs in the background and only alerts you if something is wrong.
      That is not the case with firewalls. It will alert you whenever something tries to connect to the internet, whether its good or bad, and then its up to you to allow or deny the request.
      If you want to have top notch security you need a 3rd party firewall. This will be your last line of defense should something bad get through your immunzation, and anti-virus/anti-malware protection.
      It can prevent a trojan downloader from downloading malware to your computer should you end up with one, or prevent malware from sending personal information after it has collected it.
      Here are three good, free alternatives. They each have their own support forum that can help you learn how setup and use their firewall.
    • Comodo
      (If you chose this one, be sure to uncheck the following alternatives during installation:
      "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
    • PCTools Firewall
    • Online Armor
    The firewall that comes with Kaspersky may be strong enough for you.
    If you chose to get one of these firewalls, the one in Kaspersky needs to be disabled.


    - Winpatrol
      This program is not strictly a security application, but gives you a lot more control over your computer.
      Like a firewall it's a tool you need to learn how to use.
      Basically it watches your system settings and alerts you if an application tries to change something. Then its up to you to accept or deny this change.
      Its main purpose is to watch programs that add themselfs to auto-start, but it also watches file associations, activex objects and Internet Explorer helpers.
      Most programs do not need to be on auto-start, and the bad thing about auto-start is that it clogs down system resources.
      With winpatrol you can easily detect and prevent when an unwanted auto-start entry is added, and this becomes an additional security feature beacuse most malware will add itself to auto-start.
      You can download winpatrol from here
      And here's a link to a place where you can get more information on how to use it

    If you managed to read through all of that you're probably asking "do I really need that much security software?".
    That depends on what your computer is used for.
    I'd say that everybody who uses a computer on the internet today really needs the following:
    - Windows updates (having all windows updates is more important than any security software)
    - The immunization features in step 2.2
    - Anti-virus
    That's the minimum.
    If you use your computer for financial transactions (online bank, web-shopping, etc) or have sensitive information stored on the computer, you should strongly consider buying an anti-malware app and get a 3rd party firewall to enhance security.
    If you like to use your computer freely and install a lot of different programs, use file-sharing applications and surf all over the web you should also consider enhancing security as you'll be more at risk for infections.

    Finally, I will recommend you read this article called How did I get infected in the first place?
    Some of the advice related to security software is a bit outdated, but the first part called "Safe Computer Practices" is still as valid and important as ever.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: help needed please

Unread postby dougdepell » November 11th, 2008, 2:03 am

Thank you very much for all your help in cleaning up my computer.
Awesome all-around service!
dougdepell
Active Member
 
Posts: 5
Joined: October 31st, 2008, 12:19 pm

Re: help needed please

Unread postby Sharagoz » November 11th, 2008, 8:30 am

You're welcome!
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: help needed please

Unread postby NonSuch » November 16th, 2008, 6:59 pm

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware