Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT Log help needed

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HJT Log help needed

Unread postby km2357 » June 1st, 2010, 2:56 pm

AndyB wrote:km2357,

I ran the java update, re-installed avast. I also ran windows updates, because the message kept popping up for me to update. Hope that is ok.


That's fine. :)

I am running Kaspersky scan now, but it is taking a while. It has found 1 threat so far, but only at (25%). It is late, so I am going to let it run and re-post tomorrow evening with the results.


Ok, post the results when you get them. If you have any troubles with Kaspersky (i.e. it doesn't complete) I have other online scanners you can use in its place.

All in all the machine is running much better. The task bar looks normal on reboot, and I don't have to go into services.msc to restart the DHCP client and other services. So seems to be coming along well.


Good to hear that the computer is running much better. :D

Appreciate your help with this, and I will re-post tomorrow evening.


Besides posting the Kaspersky Log, I'd also like to see a fresh DDS Log as well.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Re: HJT Log help needed

Unread postby AndyB » June 1st, 2010, 8:57 pm

Ok. Here is the Kaspersky results and fresh DDS-

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 01, 2010 02:56:54
Records in database: 4194417
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 73701
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:39:41


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\termdd.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.


DDS



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andy at 17:56:39.14 on Tue 06/01/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.586 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\fnsulyyz.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-11-26 15872]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-31 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-31 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-11-26 74752]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2010-5-24 439680]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2006-11-25 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2006-11-25 69680]

=============== Created Last 30 ================

2010-06-01 05:01:54 0 d-----w- c:\windows\system32\CatRoot_bak
2010-06-01 05:00:17 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-01 05:00:17 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-01 04:53:31 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-01 04:53:31 0 d-----w- c:\windows\system32\PreInstall
2010-05-31 23:04:12 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-05-31 19:55:32 0 d-----w- c:\docume~1\andy\applic~1\Malwarebytes
2010-05-31 19:55:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 19:55:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 19:55:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 19:55:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-31 09:03:01 0 d-sha-r- C:\cmdcons
2010-05-31 08:59:55 98816 ----a-w- c:\windows\sed.exe
2010-05-31 08:59:55 77312 ----a-w- c:\windows\MBR.exe
2010-05-31 08:59:55 256512 ----a-w- c:\windows\PEV.exe
2010-05-31 08:59:55 161792 ----a-w- c:\windows\SWREG.exe
2010-05-27 06:17:42 0 d-----w- c:\program files\Trend Micro
2010-05-27 05:37:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-27 03:36:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 03:36:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 02:14:06 0 d-----w- c:\windows\system32\ReinstallBackups
2010-05-26 06:41:59 0 d-----w- c:\program files\AVG
2010-05-26 06:12:24 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-26 06:06:55 3284 ----a-w- c:\windows\system32\ANIWZCS{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 06:06:43 143360 ----a-w- c:\windows\system32\ANIWConnService(2)(2).exe
2010-05-26 06:06:37 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 04:56:35 0 d-----w- c:\program files\Mozilla Firefox(2)
2010-05-26 04:51:00 0 d-s---w- c:\documents and settings\andy\UserData
2010-05-26 04:49:18 3284 ----a-w- c:\windows\system32\ANIWZCS{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-26 04:48:05 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-25 16:26:19 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME
2010-05-24 17:49:07 3284 ----a-w- c:\windows\system32\ANIWZCS{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:43 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:09 200704 ----a-w- c:\windows\system32\ssleay32.dll
2010-05-24 17:47:09 1089536 ----a-w- c:\windows\system32\libeay32.dll
2010-05-24 17:46:37 439680 ----a-w- c:\windows\system32\drivers\RTL8192u.sys
2010-05-24 17:46:37 0 d-----w- c:\program files\D-Link

==================== Find3M ====================

2010-06-01 05:22:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-27 06:48:45 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-27 06:48:45 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 17:56:59.14 ===============
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » June 2nd, 2010, 12:41 am

What Kaspersky found is a file in the Qoobox folder which is where ComboFix keeps its quarantined files. In this post, I'll show you how to remove that file and ComboFix at the same time.

If there are no more problems, you are good to go. :)


Now would be a good time to upgrade to Windows XP SP3. To do that, go to Windows Update and download and install SP3. Once that is done, reboot your computer and go back to Windows Update and download all the critical updates listed. Reboot once they are installed and repeat until there are no more critical updates left to download. Also, while at Windows Update, I would update Internet Explorer from IE6 to IE8.


You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  5. When all these settings have been made, click on the OK button.
  6. If it asks you if you want to save the settings, press the Yes button.
  7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » June 3rd, 2010, 2:13 am

I think that is it. I've completed everything per your instructions below. I will look into the articles as well when I get a chance. Most importantly you kick ass for helping me on this :cheers: . Can't thank you enough. Take care.

Andy B
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » June 3rd, 2010, 2:57 pm

You're welcome. I'm glad I was able to help out. :)

Good luck and safe surfing!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby Elrond » June 3rd, 2010, 4:13 pm

AndyB this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 497 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware