Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

how to clean up obfuscator

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: how to clean up obfuscator

Unread postby Wingman » June 4th, 2009, 3:51 pm

Hi Sia,

Thanks for the information from the MS Live OneCare process, I appeciate it. Thank you for hanging in there... these removals can be
difficult and tedious... good job so far. ;)

Please perform the following steps:

Step 1.
TFC (Temp File Cleaner)
  1. Please download TFC.exe...by Old Timer. Save it to your desktop.
    Print these instructions. Save any unsaved work. TFC will close ALL open programs... including your browser!
  2. Double click on TFC.exe to run it.
    TFC will begin cleaning up the "temp" files... it may take only a few seconds or it could be several minutes, depending on the amount of temp files found.
  3. If prompted to reboot... click Yes.

! Important ! If TFC prompts you to reboot, please do so immediately, before proceeding to any other steps or other use of your computer.

Step 2.
Please run this scanner again... instructions provided here for convenience.
Kaspersky Online Scanner.
Please go to Kaspersky Online Virus Scanner © Kaspersky Lab to perform an online antivirus scan.
  1. Click on the Image ...button.
  2. The program will launch and fill in the Information section ... on the left.
  3. Read the "Requirements and Limitations" then press... the Image ...button.
  4. The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  5. Once the files have been downloaded, click on the Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Image ...button, if you made any changes.
  6. Now under the Scan section on the left:
      Select My Computer
  7. The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete it will display if your system has been infected.
  8. Save the scan results as a Text file ... save it to your desktop.
  9. Copy and paste the saved scan results file in your next reply.

Step 3.
Execute ** ONLY ** if the Kaspersky scan showed no files, infections ... was clean.
Run the MS Live OneCare scan again, as you did in previous steps. Please report anything found.

Step 4.
Please include in your next reply:
  1. Kaspersky scan results
  2. Live OneCare scan results (dependant on KAS results)

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Re: how to clean up obfuscator

Unread postby Sia » June 5th, 2009, 4:34 am

Hi Wingman

Yep the Kaspersky scan picked something up this time, report follows. So I haven't repeated the MS live Onecare scan.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, June 5, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 04, 2009 23:49:53
Records in database: 2307984
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 56842
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:41:06


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Trojan.Win32.Agent.cgcn 1

The selected area was scanned.
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Wingman » June 5th, 2009, 10:43 am

Hi Sia,

The Kaspersky scan did pick up a file... this was the "old" file that was "quarantined" by ComboFix... it is no longer a threat. :)
We can take care of it's removal, a little later.
You can run the Live OneCare scan again. The Live OneCare scan may also reference the same file, this would be expected.

Please perform the following steps:

Step 1.
Run the MS Live OneCare scan again, as you did in previous steps. Please report anything found.

Step 2.
Post a New HJT Log
  1. Start HijackThis.
  2. If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  3. From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
    When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Step 3.
Please include in your next reply:
  1. Live OneCare scan results
  2. New HJT log

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: how to clean up obfuscator

Unread postby Sia » June 6th, 2009, 12:12 pm

Hi there Wingman

Hope you're having a good weekend.

All the best
Sia

------------
MS live scan came up with following:

VirTool:Win32/obfuscator.FH

c:\system volume infomration \_restore{202550a8-7a33-4bca-051d24ddbfif}rp690\a0052897.exe
c:\qoobox\quarantine\c\windows\system32\wbem\proquota.exe.vir

and following is the hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:37, on 06/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust Internet Security Suite\casc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} -
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/uk/downl ... oader4.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/UK/downl ... oader3.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 12094 bytes
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Wingman » June 7th, 2009, 9:44 am

Hi Sia,

My weekend is going OK... working on your log :D

The 2 entries that show in the Live OneCare scan: one is the same file KAS picked up, the quarantined file. (I expected to see this)
The other file is an old System Restore Point... this Restore Point was created during the time your computer was infected.
We will take care of removing both these files... later, they are NOT a threat, as of this moment.
However...
If you use System Restore, you may re-infect yourself... so let's try to avoid doing that... (hmm another reason not to install anything... that may cause you to need
to restore your system.

OK, you've done a great job so far... let's continue :)

Please perform the following steps:

Step 1.
HostsXpert
Please download HostsXpert ...© Funkytoad.com.
Save it to your desktop.
If you have a 3rd party "unzipping" program...(WinRar, Winzip, etc) ... use that to extract files to your desktop, go to step 6.
  1. Right click on HostsXpert.zip and select Extract All....
  2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard", screen.
  3. Click on the Browse button... click on Desktop... then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Once extracted, HostsXpert folder will open.
  6. Double click on HostsXpert.exe to start it.
  7. On the left side panel... if the top button is labeled "Make Writable?"... press it. (The text of the button will change to "Make Read-Only?)
  8. Now... click on the Restore MS Hosts File...button.
    • Reply "OK" to the "Press OK to Restore Microsoft's original Hosts file"...prompt. screenshot (if needed)... see red boxed button.
    • Go back to the top button labeled..."Make Read-Only?... click it. Now the text should read "Make Writable?".
  9. Press the Editing...button.
  10. Press the Copy to Clipboard...button.
    • Select Copy Hosts file...from the menu.
    • Click "OK" to the "Copied to Clipboard"... message.
  11. Exit HostsXpert.
  12. Open Notepad...paste the contents of Clipboard into the opened window.
  13. Save the Notepad file...call it..."hostfile.txt"...save it to a convenient place.
Paste the contents of the hostfile.txt file into your next reply.
Note: IF you used any custom Hosts (eg. Spybot's Immunize, MVPS Hosts, etc...), you will have to reapply them!

Step 2.
Update Adobe Reader
Your version of Adobe Reader is out-of-date. There are known security issues with older versions of Adobe Reader.

...STOP... If you are using a FULL featured, "purchased" version of Adobe Reader... STOP ...
These instructions will remove the current version of Adobe Reader and replace it with the limited feature FREE version.
If you want to replace the "paid for" version with the free version, then continue, otherwise, do not perform this step!


Please download the current version of Adobe Reader...Copyright © Adobe Systems Inc.
  1. Click the yellow "Download now"... button. If you don't already have it...you may recieve a prompt...
  2. If prompted to install "Adobe DLM" This software is not needed to download and install the latest Adobe Reader software...so the choice is yours.
    The Adobe Download Manager... can prevent you from having to start from the beginning, if your download process is interrupted. A good idea if you are using dial-up.
    If you choose to install Adobe DLM, it will start the download automatically. Adobe DLM software removal instructions available here...if wanted.
  3. If not using Adobe DLM...click on the highlighted "click here to download" text, to obtain the current version.
    Save the file to your desktop.
      Uninstall OLD Adobe Reader
    • Please uninstall Adobe Reader before installing the latest version... Go to Start > Control Panel
    • Double click on Add/Remove Programs... Locate Adobe Reader and click on Change/Remove to uninstall it.
    • Once the old version of Adobe Reader is uninstalled...close and exit Control Panel.
  4. Click on the Adobe Acrobat Reader (AdbeRdrxx_en_US.exe) icon, on your desktop... to install the new (free) version.
    The Adobe Reader download file name will be different, depending on the language or OS chosen. xx in the name = version numbers.
  5. The Adobe installer will check your system and begin the installation process. Use the default installation parameters.
  6. When the installation is complete... Close and re-open your Internet browser.

An alternate to the Adobe Reader, you could try the free (for personal use) Foxit PDF Reader.
The download file is a lot smaller and once installed, uses a lot less resources than Adobe Reader.


Step 3.
Fix HijackThis entries
Important!
Please temporarily disable any anti-spyware (AD-Watch) programs you are using, listed Here
...so they will not interfere with the entries we will be fixing in HijackThis.
  1. Run HijackThis
    • If you are on the Main Menu page... Click "Do a system scan only"
    • If you are on the "scan & fix stuff" page... Press the Scan...button.
  2. When the scan finishes...Place a check mark next to the following entries (if they are still present):
      *Only check those items listed below *
      O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
      O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} -
      O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} -
  3. After checking these items... CLOSE ALL open windows except HijackThis
  4. Click the Fix Checked ...button...to remove the entries you checked.
  5. Choose YES...when prompted to fix the selected items.
    Once it has fixed them, close HijackThis and reboot your computer normally.
  6. Run HijackThis again...
    • If you are on the "scan & fix stuff" page... Press the Main Menu...button.
    • On the Main Menu...click on the "Do a system scan and save a Log file"...button.
  7. When the scan is finished... Notepad will open with a saved log file called "hijackthis.log"
  8. Paste the contents of hijackthis.log file in your next reply.

Don't forget to enable your anti-spyware/adware processes again, if you disabled them!

Step 4.
Please include in your next reply:
  1. Hostfile.txt contents
  2. If you did not update Adobe Reader, please let me know why.
  3. New HJT log
  4. Tell me how your computer is running.
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: how to clean up obfuscator

Unread postby Sia » June 7th, 2009, 1:53 pm

Hi Wingman

Sorry about that - hope you're not missing any lovely sunshine. :flower:

Host report will follow first, then Hijack.

I've removed old Adobe reader and installed new one.

Don't know if this is anything to do with it or a completely different problem but recently my laptop gets stuck quite frequently on starting up - before Windows kicks in. Sometimes physically turning it off and on again will get it to work and sometimes I have to do it several times before Windows kicks in. Any thoughts? If nothing to do with this, do tell me and I'll do a search to see if can find out problem. Also now frequently getting message after Windows comes up of generic host win32 error - message goes after sending report. And shortly after start up I'm always getting a message that antivirus has picked something up and supposedly removed - is that normal? Rare I get these messages otherwise.

All the best
Sia

---------------
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:31:16, on 07/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust Internet Security Suite\casc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/uk/downl ... oader4.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/UK/downl ... oader3.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 11700 bytes
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Wingman » June 8th, 2009, 2:05 pm

Hi Sia,
I enjoy doing this... so no worries about the sunshine... and yes, I have been outside. ;)

I'm not sure what happened but I see an old version of Adobe Reader Update Manager still being used... this could be a left over from the previous install and
was not removed when you uninstalled version 7.0.
Also the current version of Adobe Reader is 9.1... yet your log indicates version 9.0... did you use the link I provided, when I use it, it points to the 9.1 version.
Just some food for thought... we can look into this later... even using version 9.0 is more secure than version 7.0.

I'm not sure what is causing your computer to hang, when first starting up... it could be a variety of things, that we can address... in a little while.
I'm more concerned about the Antivirus message you get after you start up... so lets perform a couple of cleanup steps to see if helps.
Please perform the following steps.

Step 1.
ERUNT - Emergency Recovery Utility NT
This is a free program that allows you to keep a complete backup of your registry and restore it when needed. Very useful if Windows System Restore fails.
ERUNT utility program
Download:

  1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
  2. Double-click erunt-setup-exe to run the install process
  3. Install ERUNT by following the prompts.
  4. Use the default install settings... say "NO" to the section that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  5. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  6. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  7. Make sure that at least the first two check boxes are selected.
  8. Click on OK
  9. Then click on "YES" to create the folder.
Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start >> All Programs >> ERUNT.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK".
  5. At the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  6. Now click on "OK". A registry backup has now been created.

Step 2.
ComboFix - Cleanup
Time for some housekeeping...
  1. Click Start...select Run from the menu.
  2. Copy and paste the following into the text entry box:
    Combofix /u
  3. Click the OK button. (See image below as reference.)
    Image
  4. When shown the disclaimer, Select "2"

Step 3.
Please, reboot you computer normally, now.

Tell me if you are still receiving the Antivirus message. If so... I need to know what it says.

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: how to clean up obfuscator

Unread postby Sia » June 8th, 2009, 6:06 pm

Hi Wingman

Re Adobe - I did use your link and although on the desktop icon it identifies it as version 9, in the remove programs function it is identified as version 9.1. It seems to install 3 icons - Adober Reader 9 installer File, Acrobat.com and then the Acrobat Reader 9. On the remove programs panel these are termed Acrobat.com, Adobe AIR and Adobe Reader 9.1.

I copied the text entry for the comboxfix and entered it in Run and it didn't up with any options, it just uninstalled it. Was that meant to happen?

I'm still getting the antivirus message. Unforunately I can't seem to get a proper report for it, it just says "1 threat identified and removed".

All the best
Sia
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Sia » June 10th, 2009, 6:00 am

Hi again

Not sure if this helps at all - I've found the real time scanner log generated by my CA antivirus. It all dates from last year and nothing this year, which seems odd to me. Anyway, here it is and I have now cleared that and will see what new things come up.

Sia

24/05/2007 10:35:30 File infection: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\change.log.3 is HTML/Phishbank.AJS trojan. Deleted
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan. Deleted
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\Desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
04/03/2008 15:14:33 File infection: E:\My Documents\My Pictures\desktop.ini is INI/Helpud.CL trojan.
30/08/2008 15:47:23 File infection: C:\Documents and Settings\Sophia\Local Settings\Temporary Internet Files\Content.IE5\53GR9KRA\nav[1].jpg is Win32/LineageX!generic trojan.
30/08/2008 15:47:24 File infection: C:\DOCUME~1\Sophia\LOCALS~1\Temp\orz.exe is Win32/LineageX!generic trojan. Deleted
30/08/2008 15:47:24 File infection: C:\DOCUME~1\Sophia\LOCALS~1\Temp\orz.exe is Win32/LineageX!generic trojan.
30/08/2008 15:47:24 File infection: C:\DOCUME~1\Sophia\LOCALS~1\Temp\orz.exe is Win32/LineageX!generic trojan.
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Sia » June 10th, 2009, 6:51 am

Oops - and I meant to add this one too from Ad-Aware live watch although again dates are not current:

MSG [4056] 2009/05/26 22:53:45: C:\windows\system32\wbem\proquota.exe (diagnosis: Malware family: Win32.Trojan.Agent) => Block
MSG [0800] 2009/05/29 14:17:42: C:\windows\system32\wbem\proquota.exe (diagnosis: Malware family: Win32.Trojan.Agent) => Block
MSG [3216] 2009/05/30 10:39:08: C:\windows\system32\wbem\proquota.exe (diagnosis: Malware family: Win32.Trojan.Agent) => Block
MSG [3972] 2009/05/30 12:14:49: C:\windows\system32\wbem\proquota.exe (diagnosis: Malware family: Win32.Trojan.Agent) => Block
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Wingman » June 10th, 2009, 3:18 pm

Hi Sia,

Thanks for your explanation (Adobe Reader) I appreciate it. You've done exactly what you should have... so good work so far. ;)

Let's try to get a better handle on the antivirus message you're receiving.
Please perform the following steps.

Step 1.
Update your antivirus "virus definition files"
Open your antivirus application (CA Antivirus) and update it with the most recent virus detections.
This is probably done automatically, on a scheduled basis but I just want to make sure you are up-to-date.

Step 2.
Run a FULL Antivirus scan
  1. Start your antivirus software (CA Antivirus) and perform a full system scan.
    This will take a while, depending on the number of files you have, please let it finish.
    When the scan is finished, if a report is presented...
  2. Copy all of the report... Open Notepad... Paste the report in the Notepad window and save to your desktop.
  3. Copy and paste the saved scan results in you next reply.

Step 3.
Please include in your next reply:
  1. Scan results from your CA Antivirus scan
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: how to clean up obfuscator

Unread postby Wingman » June 14th, 2009, 9:59 am

3 Day Bump
Hello Sia...
It has been 3 or more days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
If, after 48 hrs., you have not replied to this thread... it will have to be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: how to clean up obfuscator

Unread postby Sia » June 18th, 2009, 5:25 pm

Hi Wingman
Been having travelling and then our internet connection was down after a storm. Now back up. Will do last items and reply.
Please stay with me!
Sia
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Sia » June 18th, 2009, 5:29 pm

Hi.
Actually I did the scan but forgot to post before left. My antivirus is on auto update but I did the full update too.
Scan report follows
Thanks
Sia


Started scanning at 10/06/2009 21:25:16. Engine Ver: 31.6.0. Sig Ver:6551. Sig Date: 09/06/2009. ArcLib Ver: 8.0.1.1.
C:\hiberfil.sys - Could not open the file.
C:\pagefile.sys - Could not open the file.
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\MiniMessage\2 - Could not open the file.
C:\Documents and Settings\LocalService\NTUSER.DAT - Could not open the file.
C:\Documents and Settings\LocalService\ntuser.dat.LOG - Could not open the file.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - Could not open the file.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - Could not open the file.
C:\Documents and Settings\NetworkService\NTUSER.DAT - Could not open the file.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - Could not open the file.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - Could not open the file.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - Could not open the file.
C:\Documents and Settings\Sophia\NTUSER.DAT - Could not open the file.
C:\Documents and Settings\Sophia\ntuser.dat.LOG - Could not open the file.
C:\Documents and Settings\Sophia\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - Could not open the file.
C:\Documents and Settings\Sophia\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - Could not open the file.
C:\WINDOWS\system32\CatRoot2\edb.log - Could not open the file.
C:\WINDOWS\system32\CatRoot2\tmp.edb - Could not open the file.
C:\WINDOWS\system32\config\DEFAULT - Could not open the file.
C:\WINDOWS\system32\config\default.LOG - Could not open the file.
C:\WINDOWS\system32\config\SAM - Could not open the file.
C:\WINDOWS\system32\config\SAM.LOG - Could not open the file.
C:\WINDOWS\system32\config\SECURITY - Could not open the file.
C:\WINDOWS\system32\config\SECURITY.LOG - Could not open the file.
C:\WINDOWS\system32\config\SOFTWARE - Could not open the file.
C:\WINDOWS\system32\config\software.LOG - Could not open the file.
C:\WINDOWS\system32\config\SYSTEM - Could not open the file.
C:\WINDOWS\system32\config\system.LOG - Could not open the file.

Files Scanned: 246119
Files Infected: 0
Files Cleaned \ Deleted: 0
Files Quarantined: 0
Memory Infections: 0
Memory Infections Cleaned: 0
Boot Infections: 0
Boot Infections Cleaned: 0


Files not Cleaned\Deleted\Quarantined (Limit 100): 0

Finished scanning at 10/06/2009 22:05:42.
Sia
Regular Member
 
Posts: 25
Joined: May 13th, 2009, 5:02 pm

Re: how to clean up obfuscator

Unread postby Wingman » June 20th, 2009, 4:27 pm

Hi Sia,
Thanks for getting back to me. I know you can't do anything about storms... but if you know you are going to be away for a while, let me know in advance, if possible,
so we can keep this topic opened. Don't worry, Sia... I'm going to stay with you. ;)

Please perform the following steps.
At times, Antivirus programs will flag some of the programs I'll ask you to download as being "an infection". Please be assured that any program I ask you to download and use... is safe.

Step 1.
Flash_Disinfector
  1. Please download Flash_Disinfector...by sUBs and save it to your desktop.
  2. Double click Flash_Disinfector.exe to run it. If prompted with "Do you want to run this file?" ...press the "Yes" button.
  3. Plug in your flash drive...when prompted.
  4. Flash_Disinfector will start disinfecting your flash and hard drives.
    This takes a few seconds. Your desktop will disappear in the meantime...this is normal.
  5. When done, a message "Done!" box will appear. Click the OK...button.
  6. Your desktop should now appear. If it doesn't, press (Ctrl + Shift + Esc) or (Ctrl+Alt+Delete) to open Task Manager.
    Click on File...then select, press New Task (Run...).
    In the "Create New Task" entry box...type in explorer.exe and press Enter. Your desktop should now appear.
Flash Disinfector, as a security measure, will put a file called Autorun.inf on your hard drive(s) and each removable drive it processed.
This prevents malicious software from putting it's own "autorun.inf" file on the drive.

Note: This procedure should be performed on each flash drive you have, to prevent reinfection.

Once all flash drives have been disinfected... Reboot your computer normally... let me know if you continue to recieve the CA Antivirus message.

Step 2.
Please include in your next reply:
  1. Let me know if you are able to perform these instructions.
  2. Still get the CA Antivirus message at startup?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14110
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware