Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I could use some help...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I could use some help...

Unread postby Trif » July 10th, 2009, 3:44 pm

Google has been linking me to random websites, and it'll do this a few times before linking me to the actual link I clicked on. Then more recently my computer has decided to randomly restart without my consent. McAfee finds and deletes random things, but the problem persists.

Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:12 PM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\ld12.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NSLU2 Flash Map Utility] C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [10855784] C:\Documents and Settings\All Users\Application Data\10855784\10855784.exe
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6432] command.com /c del "C:\WINDOWS\SYSTEM32\twain_32\local.ds"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6937] cmd.exe /c del "C:\WINDOWS\SYSTEM32\twain_32\local.ds"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9223] command.com /c del "C:\WINDOWS\SYSTEM32\twain_32\user.ds"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3725] cmd.exe /c del "C:\WINDOWS\SYSTEM32\twain_32\user.ds"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9661] command.com /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3095] cmd.exe /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5167] command.com /c del "C:\WINDOWS\SYSTEM32\twain_32\local.ds.cla"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9473] cmd.exe /c del "C:\WINDOWS\SYSTEM32\twain_32\local.ds.cla"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\james\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2491] command.com /c del "C:\WINDOWS\SYSTEM32\twain_32\local.ds"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9317] command.com /c del "C:\WINDOWS\SYSTEM32\twain_32\user.ds"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3999] cmd.exe /c del "C:\WINDOWS\SYSTEM32\twain_32\user.ds"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4366] command.com /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"
O4 - HKCU\..\RunOnce: [SpybotDeletingD546] cmd.exe /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4077] command.com /c del "C:\WINDOWS\SYSTEM32\twain_32\local.ds.cla"
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logo Calibration loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6989793828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6989910328
O23 - Service: McAfee Application Installer Cleanup (0145631239940372) (0145631239940372mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\014563~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 11121 bytes
Trif
Active Member
 
Posts: 6
Joined: July 10th, 2009, 3:37 pm
Advertisement
Register to Remove

Re: I could use some help...

Unread postby askey127 » July 13th, 2009, 7:45 pm

Hi Trif,
You have a number of infections on the machine. There is a lot to do. Let's get started.
-----------------------------------------------------------
REBOOT Your Machine
-----------------------------------------------------------
Disable Ad-Aware Service
This will work for either version 2007 or 2008
Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type services.msc and click OK.
Under the Extended Tab, find one of these services, depending on which version you have:
Ad-Aware 2007 Service or Lavasoft Ad-Aware Service
Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight this Entry, and choose Remove. You can re-install it when we are finished.

Spybot S&D

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\james\LOCALS~1\Temp\b.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [10855784] C:\Documents and Settings\All Users\Application Data\10855784\10855784.exe
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Note: Save your work. TFC will automatically close any open programs. Let it run uninterrupted.
  • Double-click TFC.exe to run the program.
  • TFC will most likely require a Reboot. If prompted, click "Yes" to reboot.
The scan shouldn't take longer take a couple of minutes, and may only take a few seconds.
-----------------------------------------------------------
DISABLE MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.
  • Click Advanced Menu (bottom mid-left).
  • Click Configure (left).
  • Click Computer & Files (top left).
  • VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
  • Do the same via Internet & Network for Firewall Plus.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system.
  • Download ComboFix from here and save it to your desktop
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy is located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I could use some help...

Unread postby Trif » July 14th, 2009, 3:41 pm

Alright, I think I did everything correctly and came up with this log:

ComboFix 09-07-13.01 - james 07/14/2009 12:16.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.667 [GMT -7:00]
Running from: c:\documents and settings\james\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\caroline\Desktop\setup.exe
c:\documents and settings\james\XP Deluxe Protector
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\Installer\1c488f.msi
c:\windows\Installer\215e1.msi
c:\windows\Installer\21f082c.msi
c:\windows\Installer\45f62.msp
c:\windows\Installer\66434.msi
c:\windows\system32\Data
c:\windows\system32\gdi32lib.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\sdra64.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ws2_32.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-14 19:22 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-14 19:22 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-12 03:32 . 2009-07-12 03:32 1 ---h--w- c:\windows\bf23567.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 19:24 . 2006-04-24 00:56 -------- d-----w- c:\program files\BOINC
2009-07-14 18:49 . 2004-06-05 14:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 18:48 . 2004-06-05 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 05:30 . 2006-08-22 16:51 -------- d-----w- c:\program files\Trillian
2009-07-10 19:38 . 2005-10-05 23:03 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-02 01:54 . 2009-06-02 01:54 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-06-02 01:54 . 2009-06-02 01:54 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-06-02 01:54 . 2009-06-02 01:54 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-25 00:03 . 2009-05-25 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\90865776
2009-05-25 00:03 . 2009-05-25 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\10855784
2009-04-20 17:03 . 2003-03-14 17:55 93984 ----a-w- c:\documents and settings\james\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-04-13 15:03 . 2003-04-13 15:03 878991 ----a-w- c:\program files\iPEX.exe
2009-06-12 04:30 . 2008-12-14 06:06 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2002-11-14 61440]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-09-25 290816]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-03 212992]
"ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632]
"Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016]
"WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
"NSLU2 Flash Map Utility"="c:\program files\NSLU2 Flash Map Utility\StorageLink.exe" [2004-04-30 245760]
"SunServer"="c:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" [2005-09-24 282624]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-28 271672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

c:\documents and settings\caroline\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2002-7-18 299008]

c:\documents and settings\james\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2006-8-3 1966080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-3-11 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-3-11 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-2-25 24576]
Logo Calibration loader.lnk - c:\program files\color match\i1\i1Match2.0\calibrationloader\CalibrationLoader.exe [2004-1-24 516096]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2005-2-1 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NSLU2 Flash Map Utility\\StorageLink.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [3/22/2009 10:00 AM 55152]
S3 EyeOneDp;EyeOneDp;c:\windows\SYSTEM32\DRIVERS\EyeOneDp.sys [1/24/2004 6:22 PM 44344]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [2/28/2004 7:01 PM 11520]
S3 WUSB12;Instant Wireless Compact USB Adapter Driver;c:\windows\SYSTEM32\DRIVERS\LSWLUSB.sys [6/27/2003 1:45 PM 54083]
S4 0145631239940372mcinstcleanup;McAfee Application Installer Cleanup (0145631239940372);c:\windows\TEMP\014563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\014563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-06-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-12 20:32]

2008-06-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-12 20:32]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{076394AD-7FDD-44EF-A075-32C68DBAB99B} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\james\Application Data\Mozilla\Firefox\Profiles\5g2x8aav.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.org/start/
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???X??? ???(???x???????????????????H???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2520)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\AIM95\idlemon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\BOINC\boinc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-07-14 12:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 19:30
ComboFix2.txt 2008-12-16 20:55

Pre-Run: 23,525,306,368 bytes free
Post-Run: 23,492,313,088 bytes free

195 --- E O F --- 2009-06-02 06:07
Trif
Active Member
 
Posts: 6
Joined: July 10th, 2009, 3:37 pm

Re: I could use some help...

Unread postby askey127 » July 14th, 2009, 6:10 pm

Trif,
Good job so far.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the folder(s) shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.

C:\Windows\ld12.exe
C:\Windows\System32\braviax.exe
C:\Windows\System32\net.net

If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete or find.
-----------------------------------------------------------
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath.
Copy and paste this filepath:
C:\Documents and Settings\All Users\Application Data\10855784\10855784.exe

Then hit Submit or Upload, depending on the scanner.
The scan will take a while before the result comes up so please be patient.
Then copy and/or save the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html
or virus.org here: http://scanner.virus.org/
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware
Please go here to the Download Location, click on Download.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Choose Desktop as the location to save the installer and click Save again.
  • You should now have a desktop icon named mbam-setup.exe. Double-click it.
  • Let it install the program where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Be sure that every item is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents. The logs are listed and named by time/date stamp.
  • You can now delete the installer icon, named mbam-setup.exe from your desktop.

So we are loking for the results from the Jotti/Virustotal upload, and the log from Malwarebytes, as well as any observations, difficulties, etc.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I could use some help...

Unread postby Trif » July 15th, 2009, 12:33 pm

Well I tried deleting those files but I couldn't even find them. Searches yielded no results on any of them.

The filepath for the file I was supposed to copy and paste to Jotti didn't exist either. All I could find in the folder was this: 19344534.glu

So I scanned that and came up with this:

This file has been scanned before. The results for this previous scan are listed below.


Filename: 19344534.glu
Status:
Scan finished. 2 out of 20 scanners reported malware.
Scan taken on: Thu 11 Jun 2009 10:59:07 (CET) Permalink

Additional Info:

File size: 64784 bytes
Filetype: Unknown
MD5: da7cd5eb249646333710ef3abd7d2ca6
SHA1: 5f1ea16640c1d77dbcc322fcac478baab3eb3ef3

The Malwarebytes log is here:

Malwarebytes' Anti-Malware 1.39
Database version: 2433
Windows 5.1.2600 Service Pack 3

7/15/2009 9:16:39 AM
mbam-log-2009-07-15 (09-16-39).txt

Scan type: Quick Scan
Objects scanned: 114468
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{00000000-dcff-5c02-c09a-837cd09a807c} (Backdoor.Bot.D) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{00000000-dcff-5c02-c09a-837cd09a807c} (Backdoor.Bot.D) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servicelayer (Trojan.PWS) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe (Trojan.PWS) -> Delete on reboot.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
Trif
Active Member
 
Posts: 6
Joined: July 10th, 2009, 3:37 pm

Re: I could use some help...

Unread postby askey127 » July 15th, 2009, 1:57 pm

Trif,
Unfortunately, as you can see from the Malwarebytes log, you have had a very dangerous infection, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
  • Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of the infection's backdoor functionality(i.e., remote control capability), the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet. (This infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).

If you do not have the resources to reinstall your Windows Operating System and would like me to continue the attempt to clean your machine, I will be happy to do so.
These infections are serious enough that removing them without damaging the Windows system is no sure thing. This is your choice to make.
The following articles may be of assistance in your decision: Should you have any questions, please feel free to ask.

We can check to see if the machine "appears" clean, but the caveat above is still true. If you decide to reformat, please let me know.
Reformatting is by far the safest choice.
------------------------------------------------------------
Download the latest version of Java SE Runtime Environment(JRE), and install it to your computer.
It is currently the 5th item on the page (the page changes often), called JRE 6 Update 14
Select Windows and multi-language, and check to agree to the license.
Choose Windows Offline installation version.
Download it, choose Save, and save it to your desktop.
Then doubleclick it, and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

I haven't done anything about it, but It is not at all clear to me that allowing BOINC on your machine is a totally safe choice.
Any kind of sharing with unknown networks or unknown machines should be viewed with the highest suspicion.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I could use some help...

Unread postby Trif » July 16th, 2009, 9:23 pm

Well that sucks. I'd rather reformat as a last resort, though I see I may have no choice if I want my computer to be safe.

I tired installing the Java software but the connection to their servers died as soon as the download started so I dunno what was going on there. I'll try again later.

Kaspersky logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 16, 2009 19:51:23
Records in database: 2476197
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 94126
Threat name: 14
Infected objects: 39
Suspicious objects: 2
Duration of the scan: 02:34:25


File name / Threat name / Threats count
C:\Program Files\RealVNC\WinVNC\WinVNC.exe/C:\Program Files\RealVNC\WinVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\WinVNC\othread2.dll/C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\apps\vnc\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\mail.covad.net\Inbox Infected: Email-Worm.Win32.Dumaru.a 3
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\mail.covad.net\Inbox Infected: Trojan-Spy.HTML.Paylap.bj 2
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad-1.net\Inbox Infected: Email-Worm.Win32.NetSky.aa 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad-1.net\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad-1.net\Trash Infected: Email-Worm.Win32.NetSky.aa 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Inbox Infected: Email-Worm.Win32.Bagle.bb 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Inbox Infected: Net-Worm.Win32.Mytob.bf 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Junk Infected: Email-Worm.Win32.Bagle.ei 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Junk Infected: Email-Worm.Win32.Bagle.ek 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Trash Infected: Trojan-Spy.HTML.Smitfraud.a 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Trash Infected: Email-Worm.Win32.Bagle.bb 1
C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\pop3.covad.net\Trash Infected: Net-Worm.Win32.Mytob.bf 1
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunasInstallHelper.exe Infected: Trojan.Win32.KillAV.bgg 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gdi32lib.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.wfxo 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\net.net.vir Infected: Trojan-Clicker.Win32.VBiframe.rt 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir Infected: Trojan.Win32.Inject.agbb 1
C:\WINDOWS\Downloaded Installations\{947CE1EC-E178-4E36-B91A-D173F41B7AE2}\Sunbelt CounterSpy.msi Infected: Trojan.Win32.KillAV.bgg 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\mail.covad.net\Inbox Infected: Email-Worm.Win32.Dumaru.a 3
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\mail.covad.net\Inbox Infected: Trojan-Spy.HTML.Paylap.bj 2
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad-1.net\Inbox Infected: Email-Worm.Win32.NetSky.aa 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad-1.net\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad-1.net\Trash Infected: Email-Worm.Win32.NetSky.aa 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Inbox Infected: Email-Worm.Win32.Bagle.bb 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Inbox Infected: Net-Worm.Win32.Mytob.bf 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Junk Infected: Email-Worm.Win32.Bagle.ei 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Junk Infected: Email-Worm.Win32.Bagle.ek 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Trash Infected: Trojan-Spy.HTML.Smitfraud.a 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Trash Infected: Email-Worm.Win32.Bagle.bb 1
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\pop3.covad.net\Trash Infected: Net-Worm.Win32.Mytob.bf 1

The selected area was scanned.

And I'll probably get rid of BOINC. The safety of my computer takes a greater priority over the discovery of alien lifeforms.
Trif
Active Member
 
Posts: 6
Joined: July 10th, 2009, 3:37 pm

Re: I could use some help...

Unread postby askey127 » July 17th, 2009, 6:20 am

Trif,
These e-mail folders have extremely serious infections present, and should not be saved and restored, or the infections will come back.
If you have any very critical e-mails in the caroline User you want to save, copy the text of each one into the clipboard (Ctrl+C), paste into Notepad(Ctrl+V) and save as a text file.

I know this instruction is unpleasant, but this is what you need to do:
Uninstall Thunderbird from Control Panel, Add/Remove Programs.
Then, you should delete the all the contents of these folders (you can leave the empty folders). If any folders show in the contents, in addition to files, delete them all.

C:\Documents and Settings\caroline\Application Data\Thunderbird\Profiles\4unnoduq.default\Mail\
E:\backups\b1\netscape\caroline\4unnoduq.default\Mail\
C:\Qoobox\
-----------------------------------------------------------
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.

When all that is complete, you can download and re-install the latest version of Thunderbird from Mozilla.

Let me know how it goes, run a new Kaspersky scan, and post its log in a reply.
askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I could use some help...

Unread postby Trif » July 17th, 2009, 9:47 pm

Well I did everything and came out with this log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 17, 2009 21:28:15
Records in database: 2483545
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 93768
Threat name: 2
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:07:18


File name / Threat name / Threats count
C:\Program Files\RealVNC\WinVNC\WinVNC.exe/C:\Program Files\RealVNC\WinVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\WinVNC\othread2.dll/C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\apps\vnc\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunasInstallHelper.exe Infected: Trojan.Win32.KillAV.bgg 1
C:\WINDOWS\Downloaded Installations\{947CE1EC-E178-4E36-B91A-D173F41B7AE2}\Sunbelt CounterSpy.msi Infected: Trojan.Win32.KillAV.bgg 1

The selected area was scanned.
Trif
Active Member
 
Posts: 6
Joined: July 10th, 2009, 3:37 pm

Re: I could use some help...

Unread postby askey127 » July 18th, 2009, 7:21 am

Those remaining detections from Kaspersky are what are called Heuristic in nature, and are not infections.
Your machine looks OK to me.
Just a word of warning - the Koobface worm you had comes from clicking on random Videos in MySpace or Facebook, and agreeing when it says you need to update your flash player.
It also ends up sending the same message to everyone on your friend list.

You should keep Malwarebytes AntiMalware, and run an update and scan every week or so. The paid version is very cheap and has auto updates as welll as an incoming guard.
In that case, you may not need Spybot or Ad-Aware. When your McAfee subscription runs out, other good Antivirus providers are Avira (Antivir), ESET (Nod32), and Kaspersky.
Run the TFC application every week or so, or download a simpler temp file cleaner like ATF Cleaner.
Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.
Double-click ATF-Cleaner.exe or your shortcut to run the program.
Under Main, choose Select All
Click Empty Selected

If you use Firefox,
Click Firefox in the top bar, and choose Select All
Click on Empty Selected
NOTE: If you would like to keep any saved passwords, please click No at the prompt.

If you use Opera,
Click Opera in the top bar, and choose Select All
Click on Empty Selected
NOTE: If you would like to keep any saved passwords, please click No at the prompt.

When it tells you how much has been removed, click Exit from the Main window.

Good Luck,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I could use some help...

Unread postby Trif » July 19th, 2009, 4:07 pm

Interesting, since I almost never look at random videos on facebook, and I don't use myspace.

Oh well, I'll attempt to be more alert when browsing and to use the proper tools to keep my computer protected.

Thanks for all your help, I'm thankful for the assistance. I suppose I owe you a hug or batch of cookies or something.

I suppose this can be closed...
Trif
Active Member
 
Posts: 6
Joined: July 10th, 2009, 3:37 pm

Re: I could use some help...

Unread postby askey127 » July 19th, 2009, 4:12 pm

Trif,
Hmmm, those cookies were good.
Thanks, and good luck.
askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: I could use some help...

Unread postby NonSuch » July 23rd, 2009, 12:24 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware