Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Hijacked computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Hijacked computer

Unread postby geomareri » October 9th, 2009, 7:49 pm

Hi, below is the boot check,

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of boot.ini:
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top
Advertisement
Register to Remove

Re: Hijacked computer

Unread postby muppy03 » October 10th, 2009, 8:31 am

Open Notepad:- to do this:-
    Click start then run and type in the word notepad, then click ok.

Copy/paste the following text in the quote box below, into Notepad

[boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect


Close the file, and approve the changes made when asked by Windows.

Save the file you just created. Name it boot.ini and save it directly to C:\ drive.

Do Not reboot yet!

Run Bootcheck.exe again and post the log it creates for review. It's important that you do not reboot the system until I've reviewed that log.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 10th, 2009, 8:44 am

Hi, here is the bootlog.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of C:\boot.ini:

[boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top

Re: Hijacked computer

Unread postby muppy03 » October 10th, 2009, 8:59 am

Ok, looks good. Read through this next set of instructions and print them out if you're not sure you'll remember.

Reboot your system

* Upon reboot, you'll have 30 seconds to choose from the boot menu.
* Use your arrow key scoot on up to 1 /fastdect in the list and press Enter
* Wait for it to boot Windows.
* If you receive an error, click OK to restart the system

* Upon restart you will see the boot menu again. Arrow up to 2 /fastdetect and press Enter.
* Wait for Windows to boot. If you receive an error message, same as before, click OK to restart.

Continue using the arrow key, going in succession from 3 /fastdetect, etc., one at a time, until Windows boots up.

Come back and tell me which # worked for you.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 10th, 2009, 10:12 am

#1 and #7 worked
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top

Re: Hijacked computer

Unread postby muppy03 » October 12th, 2009, 3:22 am

Good. Now that we know which partition Windows is located in, we need to set it one more time.

Right click the C:\boot.ini and rename it to boot.bak

Open Notepad and copy/paste the text in the quote box below, into that empty Notepad:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Save this as boot.ini directly on the C:\ drive.

Run the Bootcheck.exe and post the report contents here for review. Do not reboot until I review that text.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 12th, 2009, 6:45 am

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of C:\boot.ini:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top

Re: Hijacked computer

Unread postby muppy03 » October 12th, 2009, 6:56 am

Looks good. Go ahead and reboot. Run ComboFix.exe again by double clicking it and follow the prompts again.

Post the C:\ComboFix.txt
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 13th, 2009, 7:11 pm

Hi, below is the combo fix log:

ComboFix 09-10-13.01 - Owner 10/13/2009 18:50.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3367.2885 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\jotytoru._sy
c:\program files\Common Files\sevuzez._sy
c:\windows\arev._sy
c:\windows\Installer\14531d9.msp
c:\windows\Installer\148532.msp
c:\windows\Installer\15313a9.msi
c:\windows\Installer\16aabf.msi
c:\windows\Installer\1ca54.msi
c:\windows\Installer\1f04a.msi
c:\windows\Installer\213b38.msi
c:\windows\Installer\23fa2.msi
c:\windows\Installer\23fa6.msi
c:\windows\Installer\2a13a.msi
c:\windows\Installer\3e197a.msi
c:\windows\Installer\3e197f.msi
c:\windows\Installer\3e1984.msi
c:\windows\Installer\3e1989.msi
c:\windows\Installer\3e198e.msi
c:\windows\Installer\3e1994.msi
c:\windows\Installer\3e19a1.msi
c:\windows\Installer\3e19aa.msi
c:\windows\Installer\3e19b0.msi
c:\windows\Installer\3e19b9.msi
c:\windows\Installer\3e19c1.msi
c:\windows\Installer\3e19c7.msi
c:\windows\Installer\3e19cc.msi
c:\windows\Installer\3e19d1.msi
c:\windows\Installer\3e19d7.msi
c:\windows\Installer\3e19e0.msi
c:\windows\Installer\3e19e5.msi
c:\windows\Installer\3e19ef.msi
c:\windows\Installer\3e19f4.msi
c:\windows\Installer\3e1a4a.msi
c:\windows\Installer\3e1a4f.msi
c:\windows\Installer\3e1a54.msi
c:\windows\Installer\3e1a60.msi
c:\windows\Installer\3e1afb.msi
c:\windows\Installer\3e1baf.msi
c:\windows\Installer\3e1bb5.msi
c:\windows\Installer\3e1bbc.msi
c:\windows\Installer\3e1bc2.msi
c:\windows\Installer\3e1c1a.msi
c:\windows\Installer\3e1c74.msi
c:\windows\Installer\3e1c79.msi
c:\windows\Installer\3e1c7e.msi
c:\windows\Installer\3e1c83.msi
c:\windows\Installer\3e1c88.msi
c:\windows\Installer\3e1c8d.msi
c:\windows\Installer\453629.msp
c:\windows\Installer\4d2e3.msi
c:\windows\Installer\4d32c.msp
c:\windows\Installer\4e35d.msi
c:\windows\Installer\88653.msi
c:\windows\Installer\92d73.msi
c:\windows\Installer\92d82.msi
c:\windows\Installer\92d92.msp
c:\windows\Installer\92d9b.msi
c:\windows\Installer\92db7.msi
c:\windows\system32\kesusar._sy
c:\windows\system32\utydycixi._sy
c:\windows\ufepevog.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-10 12:41 . 2009-10-10 12:41 422 ----a-w- C:\boot.bat
2009-10-09 23:00 . 2009-10-09 23:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-09 22:58 . 2009-10-10 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-09 22:33 . 2009-10-09 22:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2009-10-09 22:33 . 2009-10-09 22:33 262144 ----a-w- C:\ntuser.dat
2009-10-09 22:32 . 2009-10-09 22:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{3A7BA29C-BA4D-42FE-971B-A380559F8EB0}
2009-10-09 22:32 . 2009-10-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-06 23:57 . 2009-10-07 00:05 -------- d-----w- C:\XPSP2
2009-10-06 23:57 . 2009-10-07 00:00 -------- d-----w- C:\XPCD
2009-10-06 23:34 . 2009-10-06 23:35 -------- d-----w- C:\Combo-Fix18293C
2009-10-06 23:32 . 2009-10-06 23:33 -------- d-----w- C:\Combo-Fix19749C
2009-10-05 22:39 . 2009-10-06 23:18 -------- d-----w- C:\Combo-Fix
2009-10-05 00:26 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-05 00:26 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 14:33 . 2009-10-03 14:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-03 14:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 14:20 . 2009-10-03 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 14:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 13:58 . 2009-10-03 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 00:43 . 2009-10-02 00:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-09-28 23:57 . 2009-09-28 23:57 -------- d--h--w- c:\windows\PIF
2009-09-27 14:54 . 2009-09-29 00:30 1014172 ----a-w- c:\windows\system32\RegiCleanseUpdates.zip
2009-09-27 14:11 . 2009-09-27 14:11 -------- d-----w- c:\windows\system32\RegiCleanse
2009-09-27 14:11 . 1999-12-17 14:13 86016 ----a-w- c:\windows\unvise32.exe
2009-09-27 14:11 . 2009-10-02 23:54 -------- d-----w- c:\program files\RegiCleanse System Optimizer
2009-09-26 16:30 . 2009-05-22 04:58 287608 ----a-w- c:\windows\system32\drivers\Tmfilter.sys
2009-09-21 01:59 . 2009-09-21 01:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 18:12 . 2009-09-20 18:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{53C850E7-C2FC-47B3-B5D3-16BC9CAAFB49}
2009-09-20 18:09 . 2009-09-20 18:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-20 16:00 . 2009-09-20 16:00 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-20 15:56 . 2009-10-13 10:13 0 ----a-w- c:\windows\Xkeruraf.bin
2009-09-20 15:56 . 2009-10-13 10:13 120 ----a-w- c:\windows\Vlujipuzimocinex.dat
2009-09-20 15:55 . 2009-09-20 15:55 17101 ----a-w- c:\windows\zuwiref.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 14:26 . 2009-08-02 16:22 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-09 23:01 . 2008-08-03 12:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-09 22:33 . 2008-08-03 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-09 22:33 . 2008-08-03 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-10-09 22:32 . 2008-08-03 18:10 -------- d-----w- c:\program files\Yahoo!
2009-10-05 22:15 . 2008-08-03 14:33 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-10-03 15:53 . 2008-08-23 03:55 5072 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-10-03 13:50 . 2009-01-24 01:25 -------- d-----w- c:\program files\Vuze
2009-09-26 16:21 . 2008-08-02 20:00 62904 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 22:06 . 2008-08-03 13:47 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-09-20 22:06 . 2008-08-03 13:47 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-09-20 22:06 . 2008-08-03 13:47 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-20 16:01 . 2009-09-20 16:01 19905 ----a-w- c:\documents and settings\Owner\Application Data\avydo.dat
2009-09-20 16:01 . 2009-09-20 16:01 15337 ----a-w- c:\program files\Common Files\egaxog.lib
2009-09-20 15:55 . 2009-06-20 15:55 44970 --sha-w- c:\windows\system32\vedilune.exe
2009-09-20 15:55 . 2009-09-20 15:55 18120 ----a-w- c:\program files\Common Files\icuhi.lib
2009-09-20 15:50 . 2009-01-24 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-03-22 01:03 . 2009-03-22 01:03 1911328 -c--a-w- c:\program files\ImgBurn.rar
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_00.53.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-09 23:02 . 2009-10-09 23:02 21504 c:\windows\Installer\1d53cf.msi
+ 2009-10-09 23:00 . 2009-10-09 23:00 27648 c:\windows\Installer\1d53c4.msi
+ 2009-10-06 23:17 . 2009-10-06 23:18 669852 c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-18 20:05 . 2009-01-18 20:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2009-10-09 23:03 . 2009-10-09 23:03 6653952 c:\windows\Installer\1d53f5.msp
+ 2009-10-09 23:04 . 2009-10-09 23:04 1697792 c:\windows\Installer\1d53f4.msp
+ 2009-10-09 23:02 . 2009-10-09 23:02 3938816 c:\windows\Installer\1d53ca.msi
+ 2008-12-18 20:48 . 2008-12-18 20:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 20:37 . 2009-02-27 20:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-12 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-12 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-27 98304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Crutopit"="c:\windows\ufepevog.dll" [BU]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-12-28 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-12-28 106496]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli adet420.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/3/2008 9:47 AM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/16/2008 12:39 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/16/2008 12:39 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/3/2008 9:48 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/3/2008 9:48 AM 648456]
S2 gupdate1c9f83192256a02;Google Update Service (gupdate1c9f83192256a02);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/3/2009 10:20 AM 38224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\py6l8vp7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - HiddenExtension: XULRunner: {3A7BA29C-BA4D-42FE-971B-A380559F8EB0} - c:\documents and settings\Owner\Local Settings\Application Data\{3A7BA29C-BA4D-42FE-971B-A380559F8EB0}
FF - HiddenExtension: XULRunner: {53C850E7-C2FC-47B3-B5D3-16BC9CAAFB49} - c:\documents and settings\Administrator\Local Settings\Application Data\{53C850E7-C2FC-47B3-B5D3-16BC9CAAFB49}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 18:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-448539723-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1208)
c:\windows\adet420.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\adet420.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-10-13 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 23:06
ComboFix2.txt 2009-10-05 00:59

Pre-Run: 17,370,150,912 bytes free
Post-Run: 17,296,888,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

269 --- E O F --- 2009-09-10 21:45
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top

Re: Hijacked computer

Unread postby muppy03 » October 14th, 2009, 5:20 am

when I power up my PC, a black screen is present and for a split second shows in the upper left corner "Invalid Boot.INI File"

Has that error message gone now?


Please go to Virus Total <http://www.virustotal.com/> or Jotti
and upload c:\windows\adet420.dll for scanning.

For Virus Total
1. Please copy and paste c:\windows\adet420.dll in the text box next to the Browse button.
2. Click on Send File.

For Jotti
1. Please copy and paste c:\windows\adet420.dll in the text box next to the Browse button.
2. Click on Submit.

Please post back the results of the scan in your next post.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Please reply with:-
  • Jotti/ virus total results
  • Gooredfix.txt
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 14th, 2009, 6:56 am

Yes the "Invalid Boot.INI File" no longer appears on startup.

Virus Total
File adet420.dll received on 2009.10.14 10:46:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 32/41 (78.05%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.14 Trojan.Win32.Hiloti!IK
AhnLab-V3 5.0.0.2 2009.10.13 Win-Trojan/Mufanom.48640.C
AntiVir 7.9.1.35 2009.10.14 TR/Dldr.Mufanom.dfq
Antiy-AVL 2.0.3.7 2009.10.14 Trojan/Win32.Mufanom.gen
Authentium 5.1.2.4 2009.10.14 W32/Hiloti.G
Avast 4.8.1351.0 2009.10.13 Win32:Hilot
AVG 8.5.0.420 2009.10.14 Downloader.Generic8.BTZZ
BitDefender 7.2 2009.10.14 Trojan.Generic.2448886
CAT-QuickHeal 10.00 2009.10.14 Trojan.Agent.ATV
ClamAV 0.94.1 2009.10.14 -
Comodo 2599 2009.10.13 TrojWare.Win32.TrojanDownloader.Mufanom.dfs
DrWeb 5.0.0.12182 2009.10.14 Trojan.DownLoad.47337
eSafe 7.0.17.0 2009.10.13 -
eTrust-Vet 35.1.7067 2009.10.14 -
F-Prot 4.5.1.85 2009.10.13 W32/Hiloti.G
F-Secure 8.0.14470.0 2009.10.14 Trojan-Downloader.Win32.Mufanom.dfs
Fortinet 3.120.0.0 2009.10.14 W32/Mufanom.DFS!tr.dldr
GData 19 2009.10.14 Trojan.Generic.2448886
Ikarus T3.1.1.72.0 2009.10.14 Trojan.Win32.Hiloti
Jiangmin 11.0.800 2009.10.08 TrojanDownloader.Mufanom.os
K7AntiVirus 7.10.869 2009.10.13 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.14 Trojan-Downloader.Win32.Mufanom.dfs
McAfee 5770 2009.10.13 Generic Downloader.x!bnr
McAfee+Artemis 5770 2009.10.13 Generic Downloader.x!bnr
McAfee-GW-Edition 6.8.5 2009.10.14 Heuristic.LooksLike.Trojan.Dldr.Mufanom.B
Microsoft 1.5101 2009.10.14 Trojan:Win32/Hiloti.gen!A
NOD32 4506 2009.10.14 Win32/Cimag.W
Norman 6.01.09 2009.10.13 -
nProtect 2009.1.8.0 2009.10.14 Trojan-Downloader/W32.Mufanom.48640.C
Panda 10.0.2.2 2009.10.14 Suspicious file
PCTools 4.4.2.0 2009.10.13 -
Prevx 3.0 2009.10.14 Medium Risk Malware
Rising 21.51.22.00 2009.10.14 -
Sophos 4.46.0 2009.10.14 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.14 Trojan.Win32.Generic!VS
Symantec 1.4.4.12 2009.10.14 Trojan Horse
TheHacker 6.5.0.2.041 2009.10.14 -
TrendMicro 8.950.0.1094 2009.10.14 -
VBA32 3.12.10.11 2009.10.13 Bscope.Malware-Cryptor.Tip
ViRobot 2009.10.14.1984 2009.10.14 -
VirusBuster 4.6.5.0 2009.10.13 Trojan.DL.Mufanom.AFL
Additional information
File size: 48640 bytes
MD5...: d8992274d950f1de8c1033808b354d04
SHA1..: 8ae0a04d80ef0f3ba6ba872d7635e320ba2bcf1a
SHA256: 08269e1a9cfdc1b9e8e531f201e0faa60fad0af85bf091e4105dc4af0d96ba88
ssdeep: 768:E80AfuOr7OaE6ONBP8a9Q9hJvloIB7J7QdL3I1nZTVPA0TgIJR53Q/6ZWNgf
ax4a:E8jaKODP8aghpOY9UoVh53Q/e7W4o9

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6e14
timedatestamp.....: 0x49e6eb7c (Thu Apr 16 08:25:32 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa000 0x9400 7.69 e508b7fe09826d8e9073d305317aea8c
.data 0xb000 0x2000 0x2000 4.62 002bec591a5158449b6ca9369214b3ba
.rsrc 0xd000 0x1000 0x400 3.13 6d679a29b4c088f4e1b768a831f05178
.reloc 0xe000 0x1000 0x200 1.81 8a6cbd23a96be352c0c78c2030914ccc

( 5 imports )
> KERNEL32.dll: EnterCriticalSection, ExitProcess, FindResourceA, GetACP, GetCommandLineA, GetModuleHandleA, GetNumberFormatA, GetOEMCP, GetStartupInfoA, GlobalUnlock, HeapAlloc, HeapCreate, LoadResource, LockResource, MapViewOfFile, MultiByteToWideChar, RtlUnwind, SetLastError, SetStdHandle, SetThreadAffinityMask, SetUnhandledExceptionFilter
> msvcrt.dll: __p__commode, __set_app_type, malloc, realloc, strspn, __p__fmode
> user32.dll: FindWindowExA, GetFocus, DefDlgProcA, GetPropA, LoadIconA, LoadImageA, SendMessageA, ShowWindow, EndPaint, DestroyIcon
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathFileExistsA, PathFindOnPathA, SHOpenRegStreamA, SHSetValueA, StrChrA, StrSpnA, StrStrIA

( 2 exports )
W32N_GetNetCardRegistryPath, W32N_GetNextAdapterRegistryInfo

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: user
copyright....: Copyright _ 2006
product......: user DataAccessMgrAPI
description..: DataAccessMgrAPI
original name: DataAccessMgrAPI.dll
internal name: DataAccessMgrAPI
file version.: 1, 0, 0, 9
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=E2B7B1F000B82B43BEE8005530768500A022A271' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=E2B7B1F000B82B43BEE8005530768500A022A271</a>

Goored Fix file
GooredFix by jpshortstuff (24.09.09.1)
Log created at 06:53 on 14/10/2009 (Owner)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{3A7BA29C-BA4D-42FE-971B-A380559F8EB0} -> Success!
Deleting C:\Documents and Settings\Owner\Local Settings\Application Data\{3A7BA29C-BA4D-42FE-971B-A380559F8EB0} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{53C850E7-C2FC-47B3-B5D3-16BC9CAAFB49} -> Success!
Deleting C:\Documents and Settings\Administrator\Local Settings\Application Data\{53C850E7-C2FC-47B3-B5D3-16BC9CAAFB49} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:43 02/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:15 AM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Crutopit] rundll32.exe "C:\windows\ufepevog.dll",Startup
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Google Update Service (gupdate1c9f83192256a02) (gupdate1c9f83192256a02) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7034 bytes
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top

Re: Hijacked computer

Unread postby muppy03 » October 14th, 2009, 7:39 am

After you have done the following please update me on how computer is running?

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    O4 - HKLM\..\Run: [Crutopit] rundll32.exe "C:\windows\ufepevog.dll",Startup


Once selected close all windows except HJT an click on Fix Checked


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
c:\windows\Xkeruraf.bin
c:\windows\Vlujipuzimocinex.dat
c:\windows\zuwiref.dat
c:\documents and settings\Owner\Application Data\avydo.dat
c:\program files\Common Files\egaxog.lib
c:\windows\system32\vedilune.exe
c:\program files\Common Files\icuhi.lib
c:\windows\ufepevog.dll
c:\windows\adet420.dll
 
Folder::
c:\documents and settings\Owner\Application Data\Azureus
c:\program files\Vuze

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Crutopit"=-

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • Combofix log
  • New HJT log
  • Update on how computer is running
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 14th, 2009, 7:30 pm

Hi, my computer seems to running normally now. Thank you. The files and folders you had me drop into combofix; were they damaged or encoded spyware/viruses? Before you had me perform this last action I was getting "RUNDLL Error Loading C:\Windows\ufepevog.dll The specified module could not be found" on windows startup. This is now no longer an issue. Below are the Hijackthis and combofix log...

ComboFix 09-10-14.04 - Owner 10/14/2009 19:00.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3367.2907 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\documents and settings\Owner\Application Data\avydo.dat"
"c:\program files\Common Files\egaxog.lib"
"c:\program files\Common Files\icuhi.lib"
"c:\windows\adet420.dll"
"c:\windows\system32\vedilune.exe"
"c:\windows\ufepevog.dll"
"c:\windows\Vlujipuzimocinex.dat"
"c:\windows\Xkeruraf.bin"
"c:\windows\zuwiref.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\avydo.dat
c:\documents and settings\Owner\Application Data\Azureus
c:\documents and settings\Owner\Application Data\Azureus\.certs
c:\documents and settings\Owner\Application Data\Azureus\.keystore
c:\documents and settings\Owner\Application Data\Azureus\.lock
c:\documents and settings\Owner\Application Data\Azureus\active\21DB66F63ABF314C6E00797AFC0EEB523069401B.dat
c:\documents and settings\Owner\Application Data\Azureus\active\21DB66F63ABF314C6E00797AFC0EEB523069401B.dat.bak
c:\documents and settings\Owner\Application Data\Azureus\active\3ED1CC9830BDEFFFD3324BA35062DB277D37FB3E.dat
c:\documents and settings\Owner\Application Data\Azureus\active\3ED1CC9830BDEFFFD3324BA35062DB277D37FB3E.dat.bak
c:\documents and settings\Owner\Application Data\Azureus\active\cache.dat
c:\documents and settings\Owner\Application Data\Azureus\azureus.config
c:\documents and settings\Owner\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Owner\Application Data\Azureus\azureus.config.saving
c:\documents and settings\Owner\Application Data\Azureus\azureus.statistics
c:\documents and settings\Owner\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Owner\Application Data\Azureus\banips.config
c:\documents and settings\Owner\Application Data\Azureus\banips.config.bak
c:\documents and settings\Owner\Application Data\Azureus\cache\381727708.ico
c:\documents and settings\Owner\Application Data\Azureus\cnetworks.config
c:\documents and settings\Owner\Application Data\Azureus\devices.config
c:\documents and settings\Owner\Application Data\Azureus\devices.config.bak
c:\documents and settings\Owner\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Owner\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Owner\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Owner\Application Data\Azureus\dht\general.dat
c:\documents and settings\Owner\Application Data\Azureus\dht\version.dat
c:\documents and settings\Owner\Application Data\Azureus\downloads.config
c:\documents and settings\Owner\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Owner\Application Data\Azureus\filters.config
c:\documents and settings\Owner\Application Data\Azureus\friends.config
c:\documents and settings\Owner\Application Data\Azureus\friends.config.bak
c:\documents and settings\Owner\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Owner\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_Engine_3266225919.txt
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Owner\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\Owner\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\Subscriptions_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.CMsgr_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.emp_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.MD_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.PMsgr_2.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\v3.STres_1.log
c:\documents and settings\Owner\Application Data\Azureus\logs\WP_xsearch_1.log
c:\documents and settings\Owner\Application Data\Azureus\media\azpd\4AOTVHKOXH5HYTT4VL3PBGWYOCJYQF6K.azpd
c:\documents and settings\Owner\Application Data\Azureus\media\azpd\MXJWMQLJ7KXBJMNPAJLRNDX2CWA6ZTK6.azpd
c:\documents and settings\Owner\Application Data\Azureus\media\azpd\T4JYEWPEG64YY4ZXVMS35BI54YUFLAES.azpd
c:\documents and settings\Owner\Application Data\Azureus\metasearch.config
c:\documents and settings\Owner\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Owner\Application Data\Azureus\net\pm_11426.dat
c:\documents and settings\Owner\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Owner\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Owner\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Owner\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Owner\Application Data\Azureus\subs\03D8F22765B9E59B32A1.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\047969C2F30A401262F9.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\08B7E1A245FAAA4C1EDC.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\177D97ABD20DFF1C1109.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\17D053E4AF421BFD8B27.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\19D197C718E86D5B1B15.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\1B3A550E1FDB9D742C65.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\22359AD4380630DE8A40.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\23113C48F815F25FF852.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\23113C48F815F25FF852.vuze.2
c:\documents and settings\Owner\Application Data\Azureus\subs\23113C48F815F25FF852.vuze.bak
c:\documents and settings\Owner\Application Data\Azureus\subs\23874448F3148CDD35E7.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\271E92AFDBD73D248E67.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\295735F98560C1D42F24.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\2AA584663DC7C2DE32EE.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\39554085B8E2EE6D631B.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\3B71B7394C152CD8E1DD.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\447229A3A371779E8871.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\4CE0839375CB605B3C64.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\4E2C3C2A5F4FCEA9E199.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\53D74B2B7421ACF8B446.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\6422D03196C2B19C0D74.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\6CE4CD4B41EB765CCBCF.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\7076DB20A5F225DDB82C.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\745F6E1D6E3B69A353E3.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\7CD984994CA61B4298FC.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\81136BEEE66A32A5CB53.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\813864B48EA2A46A1C48.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\8DE6E5753F5ADF094F49.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\9167E16C9B7944056AC7.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\9317B3DF092285BAE7CE.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\9536237799C938A1CC7D.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\95B34C1A1F40931D0972.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\970722C57F2EBEFA096B.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\A1C6BE071DCE85B9636E.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\A57341AB2AA7A98D5F19.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\A944E6E027737E4EEB85.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\AB77A8E82C63A68AF3AB.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\ADC9B51FE03726160ED8.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\BC4AF73659C585221827.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\BD0B879734390F7414C4.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\C732D6BA9C09C29B2FA3.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\CC14D5EF11EB663649DD.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\CF9C193A50DD099E1FCC.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\D1398C18A77AD0F70C8D.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\D52A24EE42E3641453B5.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\DB17EB2B2FA2FDD5F2FE.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\DB8DC1EB2722421C9454.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\E67D8443DF3B6D5C02B4.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\E8139A68B1EC9E7A6DAD.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\EC04AE2313D66A13A488.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\EECADD9945BFCC6D5E08.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\F8B566BCA64E84B4B29C.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\F8B566BCA64E84B4B29C.vuze.2
c:\documents and settings\Owner\Application Data\Azureus\subs\FB411BC9F6005CA814D8.vuze
c:\documents and settings\Owner\Application Data\Azureus\subs\FD6CF4E3E1FFB5A69D5A.vuze
c:\documents and settings\Owner\Application Data\Azureus\subscriptions.config
c:\documents and settings\Owner\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Owner\Application Data\Azureus\tables.config
c:\documents and settings\Owner\Application Data\Azureus\tables.config.bak
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6638.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6639.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6640.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6641.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6642.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6643.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6644.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6645.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6647.tmp
c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU6648.tmp\Vuze_4.2.0.8b_win32.exe
c:\documents and settings\Owner\Application Data\Azureus\tmp\speedTestTorrent.torrent
c:\documents and settings\Owner\Application Data\Azureus\torrents\[isoHunt]_Star.Wars.The.Force.Unleashed.USA.Wii-FATAL[1].torrent
c:\documents and settings\Owner\Application Data\Azureus\torrents\[WII]Guitar_Hero_World_Tour_[PAL][ESPALWII.com].rar_[mininova].torrent
c:\documents and settings\Owner\Application Data\Azureus\torrents\[WII]How.To.Burn.WII.Games-TPB.torrent
c:\documents and settings\Owner\Application Data\Azureus\torrents\1634499
c:\documents and settings\Owner\Application Data\Azureus\torrents\2039528
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU10630.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU10633.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU1173.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU21789.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU2730.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU30441.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU38702.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU38705.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU43153.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU60256.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU6570.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\AZU7930.tmp
c:\documents and settings\Owner\Application Data\Azureus\torrents\Facebreaker_K.O._Party_USA_Wii-VORTEX[www.TmasGames.com].torrent
c:\documents and settings\Owner\Application Data\Azureus\torrents\Guitar_Hero_5_USA_Wii-SUNSHiNE.torrent
c:\documents and settings\Owner\Application Data\Azureus\torrents\Stunning_Blonde_Teen_Girl_Auditions_For_Porn_Movies_XXX_Teen_Sex.torrent
c:\documents and settings\Owner\Application Data\Azureus\tracker.config
c:\documents and settings\Owner\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Owner\Application Data\Azureus\unsentdata.config
c:\documents and settings\Owner\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Owner\Application Data\Azureus\update.log
c:\documents and settings\Owner\Application Data\Azureus\update.properties
c:\documents and settings\Owner\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Owner\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Owner\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Owner\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\Common Files\egaxog.lib
c:\program files\Common Files\icuhi.lib
c:\program files\Vuze
c:\program files\Vuze\hs_err_pid2292.log
c:\program files\Vuze\hs_err_pid2356.log
c:\program files\Vuze\hs_err_pid3116.log
c:\program files\Vuze\hs_err_pid3268.log
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.zip
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.jar
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\mplayer\config
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.34
c:\program files\Vuze\plugins\azemp\plugin.properties_2.1.02
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.zip
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.21.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.21.zip
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.17
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.21
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.5
c:\windows\adet420.dll
c:\windows\system32\vedilune.exe
c:\windows\Vlujipuzimocinex.dat
c:\windows\Xkeruraf.bin
c:\windows\zuwiref.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-10 12:41 . 2009-10-10 12:41 422 ----a-w- C:\boot.bat
2009-10-09 23:00 . 2009-10-09 23:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-09 22:58 . 2009-10-10 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-09 22:33 . 2009-10-09 22:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2009-10-09 22:33 . 2009-10-09 22:33 262144 ----a-w- C:\ntuser.dat
2009-10-09 22:32 . 2009-10-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-06 23:57 . 2009-10-07 00:05 -------- d-----w- C:\XPSP2
2009-10-06 23:57 . 2009-10-07 00:00 -------- d-----w- C:\XPCD
2009-10-06 23:34 . 2009-10-06 23:35 -------- d-----w- C:\Combo-Fix18293C
2009-10-06 23:32 . 2009-10-06 23:33 -------- d-----w- C:\Combo-Fix19749C
2009-10-05 22:39 . 2009-10-06 23:18 -------- d-----w- C:\Combo-Fix
2009-10-05 00:26 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-05 00:26 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 14:33 . 2009-10-03 14:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-03 14:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 14:20 . 2009-10-03 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 14:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 13:58 . 2009-10-03 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 00:43 . 2009-10-02 00:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-09-28 23:57 . 2009-09-28 23:57 -------- d--h--w- c:\windows\PIF
2009-09-27 14:54 . 2009-09-29 00:30 1014172 ----a-w- c:\windows\system32\RegiCleanseUpdates.zip
2009-09-27 14:11 . 2009-09-27 14:11 -------- d-----w- c:\windows\system32\RegiCleanse
2009-09-27 14:11 . 1999-12-17 14:13 86016 ----a-w- c:\windows\unvise32.exe
2009-09-27 14:11 . 2009-10-02 23:54 -------- d-----w- c:\program files\RegiCleanse System Optimizer
2009-09-26 16:30 . 2009-05-22 04:58 287608 ----a-w- c:\windows\system32\drivers\Tmfilter.sys
2009-09-21 01:59 . 2009-09-21 01:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 18:09 . 2009-09-20 18:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-20 16:00 . 2009-09-20 16:00 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 14:26 . 2009-08-02 16:22 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-09 23:01 . 2008-08-03 12:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-09 22:33 . 2008-08-03 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-09 22:33 . 2008-08-03 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-10-09 22:32 . 2008-08-03 18:10 -------- d-----w- c:\program files\Yahoo!
2009-10-05 22:15 . 2008-08-03 14:33 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-10-03 15:53 . 2008-08-23 03:55 5072 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-09-26 16:21 . 2008-08-02 20:00 62904 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 22:06 . 2008-08-03 13:47 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-09-20 22:06 . 2008-08-03 13:47 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-09-20 22:06 . 2008-08-03 13:47 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-03-22 01:03 . 2009-03-22 01:03 1911328 -c--a-w- c:\program files\ImgBurn.rar
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_00.53.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-09 23:02 . 2009-10-09 23:02 21504 c:\windows\Installer\1d53cf.msi
+ 2009-10-09 23:00 . 2009-10-09 23:00 27648 c:\windows\Installer\1d53c4.msi
+ 2009-10-06 23:17 . 2009-10-06 23:18 669852 c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-18 20:05 . 2009-01-18 20:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2009-10-09 23:03 . 2009-10-09 23:03 6653952 c:\windows\Installer\1d53f5.msp
+ 2009-10-09 23:04 . 2009-10-09 23:04 1697792 c:\windows\Installer\1d53f4.msp
+ 2009-10-09 23:02 . 2009-10-09 23:02 3938816 c:\windows\Installer\1d53ca.msi
+ 2008-12-18 20:48 . 2008-12-18 20:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 20:37 . 2009-02-27 20:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-12 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-12 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-27 98304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-12-28 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-12-28 106496]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/3/2008 9:47 AM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/16/2008 12:39 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/16/2008 12:39 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/3/2008 9:48 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/3/2008 9:48 AM 648456]
S2 gupdate1c9f83192256a02;Google Update Service (gupdate1c9f83192256a02);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/3/2009 10:20 AM 38224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\py6l8vp7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 19:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-448539723-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-10-14 19:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 23:15
ComboFix2.txt 2009-10-13 23:06
ComboFix3.txt 2009-10-05 00:59

Pre-Run: 17,296,015,872 bytes free
Post-Run: 17,240,166,400 bytes free

409 --- E O F --- 2009-09-10 21:45

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:40 PM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/d ... gctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Google Update Service (gupdate1c9f83192256a02) (gupdate1c9f83192256a02) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6799 bytes
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top

Re: Hijacked computer

Unread postby muppy03 » October 15th, 2009, 1:43 am

Ok we are on the home stretch now!

Hi, my computer seems to running normally now. Thank you. The files and folders you had me drop into combofix; were they damaged or encoded spyware/viruses? Before you had me perform this last action I was getting "RUNDLL Error Loading C:\Windows\ufepevog.dll The specified module could not be found" on windows startup. This is now no longer an issue

They were spyware remnants.

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


Once selected close all windows except HJT an click on Fix Checked


Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 16
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u16-windows-i586.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE) listed below in the code box.
    Code: Select all
    Java 2 Runtime Environment, SE v1.4.2
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    (If you use FireFox or the Opera browser,To keep saved passwords, click No at the prompt.)
    Click Exit on the Main menu to close the program.


Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply

Please reply with:-
  • Kaspersky
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: Hijacked computer

Unread postby geomareri » October 15th, 2009, 6:59 am

Hi, I could not find the older version of Java Runtime in my add/remove programs list-it's not there. I did a search and found in my C:/windows/downloaded programs files reminance of the older version. What should I do?
geomareri
Regular Member
 
Posts: 21
Joined: September 26th, 2009, 2:51 pm
Top
Advertisement
Register to Remove
PreviousNext
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 532 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index