Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Total XP security malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Total XP security malware

Unread postby jessf » March 31st, 2010, 5:52 pm

I have the Total XP Security virus on my computer. Annoying pop-ups keep coming up saying I need to purchase their fake program. Having so much trouble getting rid of it. Won't let me run a Malware removal program. Help! :(

Oh & I don't know if the two are related, but whenever I do a search on Firefox, and try to click on the search results, it redirects me to some bogus page.

Sorry I had to add part of my log as an image. It wouldn't let me post it otherwise.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:14:58 PM, on 3/31/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

Image

O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3345db50-a4df-4235-b436-11f0f717b913} -

C:\WINDOWS\System32\zulerudo.dll (file missing)
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} -

C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} -

C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [34fb7d53] rundll32.exe "C:\WINDOWS\System32\toretewo.dll",b
O4 - HKLM\..\Run: [riwituziyo] Rundll32.exe "C:\WINDOWS\System32\fureboze.dll",s
O4 - HKLM\..\Run: [CPM37c84ecf] Rundll32.exe "c:\windows\system32\dimisawo.dll",a
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [slypcnri] C:\Documents and Settings\jessc0125\Local Settings\Application

Data\orbkxh\uwdrsysguard.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [qgmgcfvj] C:\Documents and Settings\jessc0125\Local Settings\Application

Data\yfuppc\lwwlsftav.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search

Protection\SearchProtection.exe
O4 - HKCU\..\Run: [slypcnri] C:\Documents and Settings\jessc0125\Local Settings\Application

Data\orbkxh\uwdrsysguard.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [qgmgcfvj] C:\Documents and Settings\jessc0125\Local Settings\Application

Data\yfuppc\lwwlsftav.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [riwituziyo] Rundll32.exe "C:\WINDOWS\System32\fureboze.dll",s (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

(User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SGD] "C:\WINDOWS\TEMP\wobebupi.exe" /cs:0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

/RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SGD] "C:\WINDOWS\TEMP\wobebupi.exe" /cs:0 (User 'Default

user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver -

res://C:\WINDOWS\System32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0A7469E8-9D33-4386-90A5-705E0E55C8F8} (IRHrm Class) -

http://healthyschools.net/HRMx/hrmctl.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) -

http://connect.comcast.com/dl/Comcast%2 ... ntrols.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D52ABD80-4988-4C7D-84BF-E2D39090D0E1}:

NameServer = 217.23.14.75,4.2.2.1,192.168.1.254
O20 - AppInit_DLLs: tovuriro.dll
O20 - Winlogon Notify: acpiz - acpiz.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -

c:\windows\system32\dimisawo.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -

c:\windows\system32\dimisawo.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program

Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common

Files\Motive\McciCMService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe

--
End of file - 8673 bytes
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm
Advertisement
Register to Remove

Re: Total XP security malware

Unread postby MWR 3 day Mod » April 3rd, 2010, 11:13 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Total XP security malware

Unread postby gringo_pr » April 4th, 2010, 10:33 pm

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

GMER:

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
    Image
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

information and logs:

    In your next post I need the following

      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 5th, 2010, 4:49 pm

I have included the dds.txt and the attach.txt logs.
I was able to download GMER, but the virus will not let me run it. Anytime I start running the program, it shuts it down & shuts my computer off. So I have no GMER log :?
You do not have the required permissions to view the files attached to this post.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 5th, 2010, 7:44 pm

Greeting

I would like you to try to run this rootkit scanner instead of GMER

RootRepeal - Rootkit Detector:

  • Download RootRepeal from the following location and save it to your desktop.
  • Unzip it to your Desktop
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • Check the box for your main system drive (Usually C:), and Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

please send me this report


gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 6th, 2010, 7:46 am

I have been trying the RootRepeal but when I try to run it, it freezes my computer & Microsoft gives me a pop up that I don't have enough memory.

I will continue to try the RootRepeal and GMER to see if I can get them to work.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 6th, 2010, 9:26 am

Hello

There are infections showing in your logs. To take care of these infections do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:

      The Recovery Console was successfully installed.
    Please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"

    In your next post I need the following

    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 6th, 2010, 10:57 am

Well, I got home today & the virus is now not allowing me to open any .exe files. Combofix.exe won't open - it gives me an error that "windows cannot find it." Same thing happens when I try to open Firefox, IE, Microsoft Word, etc.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 6th, 2010, 4:36 pm

Greetings

exeHelper

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

rkill

    If you have an active internet connection, copy/paste the links below into your browser, don't click them or the rogue might redirect. If you don't have an active internet connection, download the tools from another machine, and transfer them to the affected machine via USB flash drive.

    There are 4 different versions. If one of them won't run then download and try to run the other one. You only need to get one of them to run, not all of them.

    http://download.bleepingcomputer.com/grinler/rkill.exe
    http://download.bleepingcomputer.com/grinler/rkill.com
    http://download.bleepingcomputer.com/grinler/rkill.scr
    http://download.bleepingcomputer.com/grinler/rkill.pif

    Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

    Once the tool has run, do NOT reboot the machine, and then try once again to run combofix

    If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

"information and logs"

    In your next post I need the following

    1. log fom exe helper
    2. log from rkill
    3. log from combofix
    4. let me know of any problems you may have had
    5. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 6th, 2010, 5:49 pm

I have included all 3 of the logs.

4. I did not have any problems
5. The computer appears to be doing much better. I am now able to open my .exe files. The virus did not pop up when Combofix rebooted my machine. It appears to be gone.

I am not sure if this is related, but I cannot login into Gmail. When I try to go to the gmail address, my computer gives me this error:

Not Found

The requested URL /accounts/ServiceLogin was not found on this server.
Apache/2.2.3 (Red Hat) Server at http://www.google.com Port 443


I thought this was because of the virus. Once I ran the Combofix and got rid of the virus, I was able to get onto Gmail. But a couple hours later, I tried to go into gmail, and I am now getting the same error again. Is this related to the virus?

Also, when I search something on Google, and click on one of my searches, it re-directs to some bogus page. Is this related to the virus?
You do not have the required permissions to view the files attached to this post.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 7th, 2010, 2:18 am

Greetings

MGADiag

Download the diagnostic tool MGADiag and save it to your desktop.

  • Double-click on MGADiag.exe.
  • Click Run and Run again.
  • Click Continue, then Copy.
  • Paste the report in your next reply.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
*qmgr*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.0
    Coupon Printer for Windows
    J2SE Runtime Environment 5.0 Update 1
    Viewpoint Media Player


    and click on remove

Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts
  • After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=50437&p=515691#p515691

Collect::
c:\windows\system32\clipac32.dll
c:\documents and settings\All Users\Application Data\5ea4257\SG5ea4.exe
c:\windows\System32\acup.sys
c:\windows\system32\kekuzevi.dll
c:\windows\system32\kiropevu.dll
c:\windows\system32\wakanede.dll
c:\windows\system32\wobebupi.exe

Driver::
acup


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"

    In your next post I need the following

    1. Log from MGADiag
    2. log from combofix
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 7th, 2010, 8:44 am

MGAD log:

Diagnostic Report (1.9.0019.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-B3F99-4RJX2-BP8QW
Windows Product Key Hash: P+t4ipUKcskJsFywPBzHbtbTgLw=
Windows Product ID: 55277-OEM-2111907-00127
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {2FA93C80-871C-4DAD-99CA-F0EA344CA38E}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{2FA93C80-871C-4DAD-99CA-F0EA344CA38E}</UGUID><Version>1.9.0019.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BP8QW</PKey><PID>55277-OEM-2111907-00127</PID><PIDType>2</PIDType><SID>S-1-5-21-512882977-2594886-4002013715</SID><SYSTEM><Manufacturer>System Manufacturer</Manufacturer><Model>Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> SAP41 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030722******.******+***</Date><SLPBIOS>powerspec,WinBook</SLPBIOS></BIOS><HWID>D139382F0184A063</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Atlantic Standard Time(GMT-04:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Micro Electronics, Inc</name><model>PowerSpec</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>51B909A687F0862</Val><Hash>5oCCvtqkuXgicwqB9dr7DcKLVFA=</Hash><Pid>70141-049-3961063-56475</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 10134:Micro Electronics Inc|10134:Micro Electronics Incorporated
Marker string from OEMBIOS.DAT: powerspec,WinBook

OEM Activation 2.0 Data-->
N/A



SystemLook Log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:34 on 07/04/2010 by jessc0125 (Administrator - Elevation successful)

========== filefind ==========

Searching for "*qmgr*"
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat --a--- 5722 bytes [22:51 11/07/2003] [12:32 07/04/2010] (Unable to calculate MD5)
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat --a--- 5722 bytes [22:51 11/07/2003] [12:32 07/04/2010] (Unable to calculate MD5)
C:\Qoobox\Quarantine\C\WINDOWS\system32\qmgr.dll.vir --a--- 221696 bytes [22:21 14/05/2005] [12:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7
C:\WINDOWS\ERDNT\cache\qmgr.dll --a--- 221696 bytes [21:30 06/04/2010] [12:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7
C:\WINDOWS\I386\QMGR.DL_ -ra--- 87657 bytes [22:21 14/05/2005] [12:00 29/08/2002] D72233E5B7CBE57A9B49FA598F64FCFF
C:\WINDOWS\I386\QMGR.IN_ -ra--- 1251 bytes [22:21 14/05/2005] [12:00 29/08/2002] D558C1485F941D06EAAD5A6CF2E437E7
C:\WINDOWS\I386\QMGRPRXY.DL_ -ra--- 6635 bytes [22:21 14/05/2005] [12:00 29/08/2002] 5BA4E1344EB5AF970205BBD7A23F3C36
C:\WINDOWS\inf\qmgr.inf ------ 3208 bytes [04:19 08/07/2003] [19:00 29/08/2002] 6C951FBA5786E17F3E79CBC11203D3D3
C:\WINDOWS\inf\qmgr.PNF --a--- 8252 bytes [21:27 07/07/2003] [22:33 14/05/2005] E0BF6D58DBCB28227FB0D7A13A361D0D
C:\WINDOWS\system32\dllcache\qmgrprxy.dll --a--c 17408 bytes [22:21 14/05/2005] [12:00 29/08/2002] 6C49784B2B470F51472BA620510A05A8
C:\WINDOWS\system32\qmgr.dll ------ 221696 bytes [22:21 14/05/2005] [12:00 29/08/2002] 6A1CF14D0E7D0B2241F552223769C8A7
C:\WINDOWS\system32\qmgrprxy.dll --a--- 17408 bytes [22:21 14/05/2005] [12:00 29/08/2002] 6C49784B2B470F51472BA620510A05A8

-=End Of File=-


Combofix Log
ComboFix 10-04-05.06 - jessc0125 04/07/2010 8:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.735.519 [GMT -4:00]
Running from: c:\documents and settings\jessc0125\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jessc0125\Desktop\CFScript.txt

file zipped: c:\documents and settings\All Users\Application Data\5ea4257\SG5ea4.exe
file zipped: c:\windows\system32\kekuzevi.dll
file zipped: c:\windows\system32\kiropevu.dll
file zipped: c:\windows\system32\wakanede.dll
file zipped: c:\windows\system32\wobebupi.exe
.
The following files were disabled during the run:
c:\windows\System32\clipac32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\5ea4257\SG5ea4.exe
c:\windows\system32\fuhaleke.exe
c:\windows\system32\kekuzevi.dll
c:\windows\system32\kiropevu.dll
c:\windows\system32\wakanede.dll
c:\windows\system32\wobebupi.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACUP
-------\Service_acup


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 12:43 . 2010-04-07 12:43 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 12:33 . 2010-04-07 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-03 01:53 . 2010-04-03 01:53 44032 ----a-w- c:\windows\system32\clipac32.dll.vir
2010-04-01 14:26 . 2010-04-06 21:21 -------- d-----w- c:\documents and settings\jessc0125\Local Settings\Application Data\avG
2010-03-31 23:14 . 2010-03-31 23:14 -------- d-----w- c:\program files\TrendMicro
2010-03-31 21:28 . 2010-03-31 21:28 -------- d-----w- c:\documents and settings\jessc0125\Application Data\Malwarebytes
2010-03-31 21:28 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 21:28 . 2010-03-31 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-31 21:28 . 2010-03-31 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-31 21:28 . 2010-03-29 20:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 19:14 . 2010-03-31 21:32 183808 --sha-w- c:\documents and settings\jessc0125\Local Settings\Application Data\4288942400.dll
2010-03-31 16:10 . 2010-04-07 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\5ea4257
2010-03-29 23:04 . 2010-03-29 23:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-03-28 17:14 . 2010-03-28 17:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-24 15:37 . 2010-03-24 15:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-23 16:33 . 2010-03-28 15:54 200704 --sha-w- c:\documents and settings\jessc0125\Local Settings\Application Data\128822158.dll
2010-03-23 16:31 . 2010-03-28 17:29 146304 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-23 16:26 . 2010-03-29 23:04 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-03-23 14:55 . 2010-03-23 14:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-03-23 14:55 . 2010-03-23 14:56 -------- d-----w- c:\documents and settings\LocalService\Application Data\ATTTOOLBAR
2010-03-23 14:55 . 2010-03-23 14:55 -------- d-----w- c:\windows\Favorites
2010-03-22 04:32 . 2010-03-22 04:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-03-22 04:31 . 2010-03-22 04:31 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2010-03-22 04:31 . 2010-03-23 02:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATTTOOLBAR
2010-03-22 04:31 . 2010-03-22 04:31 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2010-03-21 16:15 . 2010-03-21 16:15 -------- d-----w- c:\documents and settings\jessc0125\Application Data\Facebook
2010-03-20 12:56 . 2010-03-20 12:56 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-03-20 07:16 . 2010-03-20 07:16 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 12:43 . 2010-04-07 12:43 503808 ----a-w- c:\documents and settings\jessc0125\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-46c7edcb-n\msvcp71.dll
2010-04-07 12:43 . 2010-04-07 12:43 499712 ----a-w- c:\documents and settings\jessc0125\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-46c7edcb-n\jmc.dll
2010-04-07 12:43 . 2010-04-07 12:43 348160 ----a-w- c:\documents and settings\jessc0125\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-46c7edcb-n\msvcr71.dll
2010-04-07 12:43 . 2010-04-07 12:43 61440 ----a-w- c:\documents and settings\jessc0125\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-32742fe7-n\decora-sse.dll
2010-04-07 12:43 . 2010-04-07 12:43 12800 ----a-w- c:\documents and settings\jessc0125\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-32742fe7-n\decora-d3d.dll
2010-04-07 12:43 . 2005-06-06 21:57 -------- d-----w- c:\program files\Java
2010-04-07 12:38 . 2005-05-14 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-07 12:37 . 2008-05-01 19:15 -------- d-----w- c:\program files\Coupons
2010-04-06 00:10 . 2008-06-11 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-03-31 23:14 . 2010-03-31 23:14 388096 ----a-r- c:\documents and settings\jessc0125\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-29 01:30 . 2005-05-14 22:18 86912 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-28 16:04 . 2009-11-26 21:08 -------- d-----w- c:\program files\Spyware Doctor
2010-03-28 16:04 . 2009-11-26 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-28 15:40 . 2005-06-29 03:14 -------- d-----w- c:\documents and settings\jessc0125\Application Data\Lavasoft
2010-03-28 15:39 . 2007-02-05 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-28 15:37 . 2005-08-18 11:02 -------- d-----w- c:\program files\Common Files\AOL
2010-03-28 15:36 . 2005-07-07 01:35 -------- d-----w- c:\program files\Google
2010-03-28 15:33 . 2009-01-21 22:56 -------- d-----w- c:\documents and settings\jessc0125\Application Data\Move Networks
2010-03-28 15:32 . 2005-06-29 03:51 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-28 15:31 . 2003-07-08 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-28 15:31 . 2003-07-08 04:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-28 15:30 . 2003-07-08 04:48 -------- d-----w- c:\program files\Symantec
2010-03-28 15:29 . 2005-06-29 03:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-28 15:29 . 2005-06-29 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-28 15:21 . 2009-10-10 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-03-28 15:21 . 2005-06-09 00:08 -------- d-----w- c:\program files\Yahoo!
2010-03-28 15:20 . 2005-10-14 15:16 -------- d-----w- c:\documents and settings\jessc0125\Application Data\Yahoo!
2010-03-28 15:09 . 2009-10-31 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-03-28 13:34 . 2005-06-15 03:08 -------- d-----w- c:\program files\AIM
2010-03-28 13:33 . 2005-06-29 04:12 -------- d---a-w- c:\documents and settings\jessc0125\Application Data\AVG7
2010-03-28 13:32 . 2005-06-29 04:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG7
2010-03-28 13:32 . 2005-06-29 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2010-03-21 16:15 . 2010-03-21 16:15 50354 ----a-w- c:\documents and settings\jessc0125\Application Data\Facebook\uninstall.exe
2010-03-09 08:28 . 2009-01-25 21:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\jessc0125\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\jessc0125\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 03:54 . 2009-10-31 15:07 -------- d-----w- c:\documents and settings\jessc0125\Application Data\ATTToolbar
2010-02-14 02:47 . 2005-06-29 03:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 18:24 . 2010-01-16 18:24 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-01-16 18:18 . 2010-01-16 18:18 3106632 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\MyPalsPlugin.exe
2010-01-12 20:27 . 2010-01-15 14:16 52224 ----a-w- c:\documents and settings\jessc0125\Application Data\Mozilla\Firefox\Profiles\epyp8tj7.Default User\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
2010-01-12 20:27 . 2010-01-15 14:16 101376 ----a-w- c:\documents and settings\jessc0125\Application Data\Mozilla\Firefox\Profiles\epyp8tj7.Default User\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
2008-12-12 17:41 . 2007-01-03 21:22 168 --sha-r- c:\windows\system32\690A7241F3.sys
2008-12-12 17:41 . 2007-01-03 21:22 3662 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-06_21.24.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-07 12:55 . 2010-04-07 12:55 16384 c:\windows\Temp\Perflib_Perfdata_558.dat
- 2003-07-08 04:19 . 2010-04-06 21:24 53608 c:\windows\system32\perfc009.dat
+ 2003-07-08 04:19 . 2010-04-07 01:36 53608 c:\windows\system32\perfc009.dat
+ 2003-07-08 04:19 . 2010-04-07 01:36 383254 c:\windows\system32\perfh009.dat
- 2003-07-08 04:19 . 2010-04-06 21:24 383254 c:\windows\system32\perfh009.dat
+ 2010-04-07 12:43 . 2010-03-09 08:28 153376 c:\windows\system32\javaws.exe
+ 2010-04-07 12:43 . 2010-03-09 08:28 145184 c:\windows\system32\javaw.exe
+ 2010-04-07 12:43 . 2010-03-09 08:28 145184 c:\windows\system32\java.exe
+ 2005-05-14 22:36 . 2010-04-07 12:43 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2005-05-14 22:36 . 2005-05-14 22:32 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-04-07 12:43 . 2010-04-07 12:43 180224 c:\windows\Installer\25dd6d5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-11 47104]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-09-25 111104]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"riwituziyo"="rifojehu.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
expacapp REG_SZ c:\windows\System32\clipac32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/30/2007 10:51 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/30/2007 10:51 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [5/30/2007 10:50 PM 40832]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/30/2007 10:51 PM 21632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2005-06-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-07-08 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://swagbucks.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\System32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {D52ABD80-4988-4C7D-84BF-E2D39090D0E1} = 217.23.14.75,4.2.2.1,192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A7469E8-9D33-4386-90A5-705E0E55C8F8} - hxxp://healthyschools.net/HRMx/hrmctl.cab
FF - ProfilePath - c:\documents and settings\jessc0125\Application Data\Mozilla\Firefox\Profiles\epyp8tj7.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Swag Bucks Customized Web Search
FF - prefs.js: browser.startup.homepage - swagbucks.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... 2260173&q=
FF - component: c:\documents and settings\jessc0125\Application Data\Mozilla\Firefox\Profiles\epyp8tj7.Default User\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\jessc0125\Application Data\Mozilla\Firefox\Profiles\epyp8tj7.Default User\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\jessc0125\Application Data\Mozilla\Firefox\Profiles\epyp8tj7.Default User\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\jessc0125\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{3345db50-a4df-4235-b436-11f0f717b913} - wakanede.dll
SafeBoot-acup.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 08:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(544)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\System32\PSIService.exe
c:\windows\System32\wdfmgr.exe
c:\windows\SOUNDMAN.EXE
c:\windows\System32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-04-07 09:00:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 13:00
ComboFix2.txt 2010-04-06 21:32

Pre-Run: 17,249,730,560 bytes free
Post-Run: 17,223,270,400 bytes free

- - End Of File - - 0C8F467BD6F5A73158FE1BC3E2B40A76


3. I did not have any problems.
4. The computer is still giving me the "Not Found" error for my Gmail, and I am still re-directed to ad sites when I search from a search engine.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 7th, 2010, 8:16 pm

Greetings

I need you to go here and validate windows - http://www.microsoft.com/Genuine/

please read here - http://www.malwareremoval.com/forum/vie ... 11&t=50380

after you have validated windows please rerun this program

MGADiag

  • Double-click on MGADiag.exe.
  • Click Run and Run again.
  • Click Continue, then Copy.
  • Paste the report in your next reply.

thanks gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 7th, 2010, 10:34 pm

MGAD Report

Diagnostic Report (1.9.0019.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-B3F99-4RJX2-BP8QW
Windows Product Key Hash: P+t4ipUKcskJsFywPBzHbtbTgLw=
Windows Product ID: 55277-OEM-2111907-00127
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {2FA93C80-871C-4DAD-99CA-F0EA344CA38E}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{2FA93C80-871C-4DAD-99CA-F0EA344CA38E}</UGUID><Version>1.9.0019.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-BP8QW</PKey><PID>55277-OEM-2111907-00127</PID><PIDType>2</PIDType><SID>S-1-5-21-512882977-2594886-4002013715</SID><SYSTEM><Manufacturer>System Manufacturer</Manufacturer><Model>Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version> SAP41 </Version><SMBIOSVersion major="2" minor="3"/><Date>20030722******.******+***</Date><SLPBIOS>powerspec,WinBook</SLPBIOS></BIOS><HWID>D139382F0184A063</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Atlantic Standard Time(GMT-04:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Micro Electronics, Inc</name><model>PowerSpec</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>51B909A687F0862</Val><Hash>5oCCvtqkuXgicwqB9dr7DcKLVFA=</Hash><Pid>70141-049-3961063-56475</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 10134:Micro Electronics Inc|10134:Micro Electronics Incorporated
Marker string from OEMBIOS.DAT: powerspec,WinBook

OEM Activation 2.0 Data-->
N/A
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 8th, 2010, 6:53 am

Greetings

thanks for validateing windows - when we are done it is inportant to update to SP3

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
c:\windows\system32\clipac32.dll.vir
c:\documents and settings\jessc0125\Local Settings\Application Data\4288942400.dll
c:\documents and settings\jessc0125\Local Settings\Application Data\128822158.dll

Folder::
c:\documents and settings\All Users\Application Data\5ea4257

Driver::
riwituziyo



Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

: Malwarebytes' Anti-Malware :

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


"information and logs"

    In your next post I need the following

    1. log from combofix
    2. log from MBAM
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware