Author Topic: Help! Have Trojan and Spyware, need help removing (or making sure its gone). (Read 11955 times)

wkdcute04 · « **on:** September 14, 2008, 06:45:44 PM »

Hi, I need some help with a bunch of viruses that were on my computer. I know there were some Trojans as well as a bunch of spyware on my computer. Normally I would just completely restore the OS (Windows XP Home with SP2), but I lost the disk and have to do this the hard way

.

I've already done a bunch of stuff that was recommended to me by a friend, I'm just wondering if there is a way to tell if the viruses are gone or just hiding really well. My steps were:

1. I disconnected from the internet and cleared all of the internet files, history, cache, etc. Also deleted all temporary files, etc.

2. Turned off System Restore for my computer.

3. Ran McAfee anti-virus software, which deleted a bunch of things. Ran this both in safe mode, and then in normal mode.

4. Ran Ad-Aware several times, both in safe mode and normal mode, until nothing else was detected (several things were detected and deleted the first time around).

5. Ran Spy-Bot several times, both in safe mode and normal mode, until nothing else was detected.

6. Ran McAfee Stinger, nothing was detected.

7. Ran McAfee Anti-Virus again, nothing was detected on my computer.

*By this point, drwatson was running a lot all of a sudden, so I ended up removing it from the registry.

I haven't tried connecting to the internet again. I'm just wondering if I've sucessfully removed all of the viruses and spyware from my computer (since nothing else is showing up on any program), or if the viruses are just hiding and I need to do something else to get rid of all of them.

Thanks for any help!

evilfantasy · « **Reply #1 on:** September 15, 2008, 12:24:01 PM »

Start here http://www.computerhope.com/forum/index.php/topic,46313.0.html

Post the 3 logs when complete.

wkdcute04 · « **Reply #2 on:** September 22, 2008, 06:35:08 PM »

Here are the three reports:

1. SuperAnti

Application Version : 4.21.1004

Core Rules Database Version : 3575
Trace Rules Database Version: 1563

Scan type : Complete Scan
Total Scan Time : 00:46:51

Memory items scanned : 390
Memory threats detected : 2
Registry items scanned : 4343
Registry threats detected : 39
File items scanned : 38553
File threats detected : 8

Trojan.Vundo-Variant/Small-GEN
   C:\WINDOWS\SYSTEM32\LJJYQIIA.DLL
   C:\WINDOWS\SYSTEM32\LJJYQIIA.DLL

Adware.Vundo Variant/Resident
   C:\WINDOWS\SYSTEM32\CBXNHXPN.DLL
   C:\WINDOWS\SYSTEM32\CBXNHXPN.DLL

Rogue.AntiSpyCheck
   HKLM\Software\Classes\CLSID\{E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E}
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}\InprocServer32
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}\InprocServer32#ThreadingModel
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}\ProgID
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}\Programmable
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}\TypeLib
   HKCR\CLSID\{E1FAB6BD-4A34-47CE-82AF-50B16A6BE77E}\VersionIndependentProgID
   HKCR\ThreatWarning.WarningBHO.1
   HKCR\ThreatWarning.WarningBHO.1\CLSID
   HKCR\ThreatWarning.WarningBHO
   HKCR\ThreatWarning.WarningBHO\CLSID
   HKCR\ThreatWarning.WarningBHO\CurVer
   HKCR\TypeLib\{BA1B2430-E2B5-4e87-BD9B-E919CA9DEB2C}
   C:\PROGRAM FILES\ASPCH\THREATWARNING.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E}
   C:\RECYCLER\S-1-5-21-1708537768-412668190-839522115-500\DC27\ASPCH.EXE
   C:\RECYCLER\S-1-5-21-1708537768-412668190-839522115-500\DC27\THREATWARNING.DLL

Trojan.Vundo-Variant/NextGen
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{560E2ED0-CD78-4332-A96B-FBD502FCF373}
   HKCR\CLSID\{560E2ED0-CD78-4332-A96B-FBD502FCF373}
   HKCR\CLSID\{560E2ED0-CD78-4332-A96B-FBD502FCF373}\InprocServer32
   HKCR\CLSID\{560E2ED0-CD78-4332-A96B-FBD502FCF373}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD}
   HKCR\CLSID\{88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD}
   HKCR\CLSID\{88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD}\InprocServer32
   HKCR\CLSID\{88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD}
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ljJYQiIa

Trojan.FakeAlert-IEBT
   HKU\S-1-5-21-1708537768-412668190-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{94A5C93F-BD18-4C46-B777-C94C145C3CAB}

Browser Hijacker.Internet Explorer Settings Hijack
   HKU\S-1-5-21-1708537768-412668190-839522115-1003\Software\Microsoft\Internet Explorer\Main#Search Page [ http://internetsearchservice.com ]
   HKU\S-1-5-21-1708537768-412668190-839522115-1003\Software\Microsoft\Internet Explorer\Main#Default_Search_URL [ http://internetsearchservice.com ]

Adware.Vundo Variant/Rel
   HKLM\SOFTWARE\Microsoft\aoprndtws
   HKLM\SOFTWARE\Microsoft\FCOVM
   HKLM\SOFTWARE\Microsoft\RemoveRP
   HKU\S-1-5-21-1708537768-412668190-839522115-1003\Software\Microsoft\rdfa
   C:\WINDOWS\SYSTEM32\MCRH.TMP

Trojan.Unclassified/C00-WL
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0086CB4
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0086CB4#Asynchronous
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0086CB4#DllName
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0086CB4#Impersonate
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0086CB4#Startup
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0086CB4#Logon

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt

2. Malware

Scan type: Full Scan (C:\|)
Objects scanned: 77953
Time elapsed: 29 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 26
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nfjiufdk.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0086cb4 (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\aspch (Rogue.AntiSpyCheck) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\044a8a01 (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrt_Shell (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletecookie (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletesol (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm0779b99d (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\968070 (Trojan.BHO) -> No action taken.

Files Infected:
C:\WINDOWS\system32\nfjiufdk.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kdfuijfn.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ummtsppt.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM0779b99d.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM0779b99d.txt (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Desktop\Antispyware log.txt (Rogue.Antispyware) -> No action taken.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> No action taken.

wkdcute04 · « **Reply #3 on:** September 22, 2008, 06:35:38 PM »

3. Hijack[/b]

Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {07162130-F60D-4093-BA12-4DAC6A272E9A} - (no file)
O2 - BHO: (no name) - {11014a24-cb44-439c-9434-43928f4bd745} - (no file)
O2 - BHO: (no name) - {14A25AA4-FB3D-4E01-9150-6B596DC262A9} - (no file)
O2 - BHO: (no name) - {37616F8D-AAD0-4FC2-811E-365ABC1C802F} - (no file)
O2 - BHO: (no name) - {4A4637F9-AE7B-4C81-83A0-A05DC1FD06B9} - C:\WINDOWS\system32\cbXNHXpN.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {560E2ED0-CD78-4332-A96B-FBD502FCF373} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7D6CD1C6-AFD7-489C-B15F-62E37BDF6C65} - (no file)
O2 - BHO: (no name) - {88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD} - (no file)
O2 - BHO: (no name) - {8A152561-6E7F-42DC-A143-3ADEFA28F259} - (no file)
O2 - BHO: (no name) - {A11DA48E-CF02-4F1C-A13B-F25225FEFB52} - (no file)
O2 - BHO: (no name) - {A96ADB66-253A-4F9A-92C5-114D4F31E422} - (no file)
O2 - BHO: (no name) - {E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Owner\xrt_ptfa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.tproxy01.lib.utah.edu/lib/utah/support/plugins/ebraryRdr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185141624015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222129530661&h=a312afe649fccbd8a66277eb5768d4b3/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll hhofbw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: 44a8aae382 - C:\WINDOWS\system32\__c0088244.dat (file missing)
O20 - Winlogon Notify: ljJYQiIa - C:\WINDOWS\
O20 - Winlogon Notify: __c0086CB4 - C:\WINDOWS\
O22 - SharedTaskScheduler: babblement - {d3b82107-f8fa-4ef3-8066-136e22872d4e} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10179 bytes

evilfantasy · « **Reply #4 on:** September 22, 2008, 06:48:01 PM »

It does no good to run the scans if you aren't going to let the malware be fixed. Everything says No action taken.

Please run them again, this time removing everything found.

I also need the whole HijackThis log beginning with Logfile of HijackThis.

Please run the scans again, removing everything found and post the logs. Then run a new HJT scan and post the log.

wkdcute04 · « **Reply #5 on:** September 22, 2008, 08:16:37 PM »

That is the correct Hijack log, I just cut off the top of the log.

I'm pretty sure I removed everything, but I'll run it again just to be sure.

Thanks.

evilfantasy · « **Reply #6 on:** September 22, 2008, 08:21:06 PM »

Yes please be sure. The HijackThis log has a lot of stuff in it that should have been fixed by MBAM and SAS.

wkdcute04 · « **Reply #7 on:** September 22, 2008, 09:37:47 PM »

Okay, here is run-through number 2:

1. SuperAnti:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/22/2008 at 08:47 PM

Application Version : 4.21.1004

Core Rules Database Version : 3575
Trace Rules Database Version: 1563

Scan type : Complete Scan
Total Scan Time : 00:28:41

Memory items scanned : 368
Memory threats detected : 0
Registry items scanned : 4615
Registry threats detected : 0
File items scanned : 19277
File threats detected : 3

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@adinterax[2].txt

2. Malwarebytes

Malwarebytes' Anti-Malware 1.28
Database version: 1190
Windows 5.1.2600 Service Pack 2

9/22/2008 9:29:56 PM
mbam-log-2008-09-22 (21-29-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 78741
Time elapsed: 22 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0086cb4 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrt_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wblogon (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot.

wkdcute04 · « **Reply #8 on:** September 22, 2008, 09:39:22 PM »

3. Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:10 PM, on 9/22/2008
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {07162130-F60D-4093-BA12-4DAC6A272E9A} - (no file)
O2 - BHO: (no name) - {11014a24-cb44-439c-9434-43928f4bd745} - (no file)
O2 - BHO: (no name) - {14A25AA4-FB3D-4E01-9150-6B596DC262A9} - (no file)
O2 - BHO: (no name) - {37616F8D-AAD0-4FC2-811E-365ABC1C802F} - (no file)
O2 - BHO: (no name) - {4A4637F9-AE7B-4C81-83A0-A05DC1FD06B9} - C:\WINDOWS\system32\cbXNHXpN.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {560E2ED0-CD78-4332-A96B-FBD502FCF373} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7D6CD1C6-AFD7-489C-B15F-62E37BDF6C65} - (no file)
O2 - BHO: (no name) - {88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD} - (no file)
O2 - BHO: (no name) - {8A152561-6E7F-42DC-A143-3ADEFA28F259} - (no file)
O2 - BHO: (no name) - {A11DA48E-CF02-4F1C-A13B-F25225FEFB52} - (no file)
O2 - BHO: (no name) - {A96ADB66-253A-4F9A-92C5-114D4F31E422} - (no file)
O2 - BHO: (no name) - {E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Owner\xrt_ptfa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.tproxy01.lib.utah.edu/lib/utah/support/plugins/ebraryRdr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185141624015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222129530661&h=a312afe649fccbd8a66277eb5768d4b3/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll hhofbw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: 44a8aae382 - C:\WINDOWS\system32\__c0088244.dat (file missing)
O20 - Winlogon Notify: ljJYQiIa - C:\WINDOWS\
O20 - Winlogon Notify: __c0086CB4 - C:\WINDOWS\
O22 - SharedTaskScheduler: babblement - {d3b82107-f8fa-4ef3-8066-136e22872d4e} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10192 bytes

Thanks! I hope I did everything right this time.

evilfantasy · « **Reply #9 on:** September 22, 2008, 09:52:19 PM »

Disable Ad-Aware as it may interfere with repairs

Click the Settings button, Auto Scans tab, and under Scan on Ad-Aware startup
Be sure both selections for No automated scan are checked (green).
Then click Save and close Ad-Aware.

----------

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning. <- Very important!!

-----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {07162130-F60D-4093-BA12-4DAC6A272E9A} - (no file)
- O2 - BHO: (no name) - {11014a24-cb44-439c-9434-43928f4bd745} - (no file)
- O2 - BHO: (no name) - {14A25AA4-FB3D-4E01-9150-6B596DC262A9} - (no file)
- O2 - BHO: (no name) - {37616F8D-AAD0-4FC2-811E-365ABC1C802F} - (no file)
- O2 - BHO: (no name) - {4A4637F9-AE7B-4C81-83A0-A05DC1FD06B9} - C:\WINDOWS\system32\cbXNHXpN.dll (file missing)
- O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
- O2 - BHO: (no name) - {560E2ED0-CD78-4332-A96B-FBD502FCF373} - (no file)
- O2 - BHO: (no name) - {7D6CD1C6-AFD7-489C-B15F-62E37BDF6C65} - (no file)
- O2 - BHO: (no name) - {88D3A9C5-FD4F-4D99-8672-FD72F9FD51DD} - (no file)
- O2 - BHO: (no name) - {8A152561-6E7F-42DC-A143-3ADEFA28F259} - (no file)
- O2 - BHO: (no name) - {A11DA48E-CF02-4F1C-A13B-F25225FEFB52} - (no file)
- O2 - BHO: (no name) - {A96ADB66-253A-4F9A-92C5-114D4F31E422} - (no file)
- O2 - BHO: (no name) - {E1FAB6BD-4A34-47ce-82AF-50B16A6BE77E} - (no file)
- O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
- O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe
- O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\Owner\xrt_ptfa.exe
- O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll hhofbw.dll
- O20 - Winlogon Notify: 44a8aae382 - C:\WINDOWS\system32\__c0088244.dat (file missing)
- O20 - Winlogon Notify: ljJYQiIa - C:\WINDOWS\
- O20 - Winlogon Notify: __c0086CB4 - C:\WINDOWS\
- O22 - SharedTaskScheduler: babblement - {d3b82107-f8fa-4ef3-8066-136e22872d4e} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"wblogon"=-
"xrt_Shell"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

wkdcute04 · « **Reply #10 on:** September 23, 2008, 07:27:28 PM »

I hope I did this right. I thought it worked, but now my internet is acting funny (I'm having to post this from another computer....)

1. Combo Log

ComboFix 08-09-22.06 -
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\NpXHNXbc.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-22 18:27 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-09-22 18:25 . 2008-09-22 18:25   <DIR>   d--------   C:\Program Files\Trend Micro
2008-09-22 18:23 . 2008-09-22 18:23   <DIR>   d--------   C:\WINDOWS\Sun
2008-09-21 22:09 . 2008-09-21 22:10   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 22:09 . 2008-09-21 22:09   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-21 22:09 . 2008-09-21 22:09   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 22:09 . 2008-09-10 00:04   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 22:09 . 2008-09-10 00:03   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 20:19 . 2008-09-21 20:19   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-21 20:18 . 2008-09-21 20:18   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-09-21 20:18 . 2008-09-21 20:18   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-09-21 20:14 . 2008-09-21 20:14   <DIR>   d--------   C:\Program Files\CCleaner
2008-09-14 21:18 . 2008-09-14 21:18   <DIR>   d--------   C:\Program Files\Common Files\SWF Studio
2008-09-14 18:34 . 2008-09-14 18:34   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-09-14 15:22 . 2008-09-23 18:41   902   --a------   C:\WINDOWS\QUICKEN.INI
2008-09-14 15:21 . 2008-09-14 15:21   <DIR>   d--------   C:\Program Files\Common Files\Intuit
2008-09-14 15:20 . 2008-09-23 18:41   <DIR>   d--------   C:\Program Files\Quicken
2008-09-14 15:04 . 2008-09-14 15:04   1,987   -rahs----   C:\WINDOWS\system32\drivers\HP_Pavilion zv5200 (PF144UA ABA)_YN_Pavi_QCND426_E_4_I08A0_SCompal_V32. 22_BF.11_T040430_WXH2_L409_M512_J80_7AM D_8Athlon 64 3200+_91.99_1104C8026_N_P104CAC54_Z10DE00D9_K_A10DE00DA_U10DE00D7_G10DE0179.MRK
2008-09-14 15:01 . 1999-11-10 11:05   86,016   --a------   C:\WINDOWS\unvise32qt.exe
2008-09-14 15:00 . 2008-09-23 18:39   <DIR>   d--------   C:\Program Files\QuickTime
2008-09-14 15:00 . 2008-09-14 15:00   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-14 14:44 . 2008-09-22 18:27   <DIR>   d--------   C:\Program Files\Java
2008-09-14 14:43 . 2008-09-14 14:43   <DIR>   d--------   C:\Program Files\Common Files\Sonic
2008-09-14 14:43 . 2008-09-14 14:43   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-09-14 14:43 . 2008-09-14 14:43   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Sonic
2008-09-14 14:41 . 2008-09-14 14:41   <DIR>   d--------   C:\Program Files\Sonic
2008-09-14 14:41 . 2008-09-14 14:41   <DIR>   d--------   C:\Program Files\RecordNow!
2008-09-14 14:41 . 2008-09-14 14:41   <DIR>   d--------   C:\Program Files\Common Files\SureThing Shared
2008-09-14 14:39 . 2008-09-14 14:39   <DIR>   d--------   C:\i386
2008-09-14 14:39 . 2003-08-18 00:16   65,536   ---------   C:\WINDOWS\system32\QlbServr.exe
2008-09-14 14:39 . 2003-08-18 00:00   49,152   -r-------   C:\WINDOWS\system32\eabcoins.dll
2008-09-14 14:08 . 2008-09-14 14:08   79   --a------   C:\WINDOWS\system32\NVU003.nvu
2008-09-13 23:04 . 2008-09-14 10:24   149   --a------   C:\WINDOWS\wininit.ini
2008-09-13 22:39 . 2008-09-13 22:39   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-09-13 22:39 . 2008-09-23 18:44   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-13 21:54 . 2008-09-13 21:54   <DIR>   d--------   C:\Program Files\Lavasoft
2008-09-13 21:54 . 2008-09-13 21:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-13 18:49 . 2003-05-22 19:55   483,328   --a------   C:\WINDOWS\system32\hphmon05.exe
2008-09-13 18:48 . 2008-09-13 18:49   18,403   --a------   C:\WINDOWS\HPHins01.dat
2008-09-13 18:48 . 2003-05-22 19:44   6,848   --a------   C:\WINDOWS\system32\hphmon05.dat
2008-09-13 18:48 . 2003-05-22 19:44   4,308   ---------   C:\WINDOWS\hphmdl01.dat
2008-09-13 18:44 . 2008-09-13 18:44   <DIR>   d--------   C:\swsetup
2008-09-13 18:44 . 2002-10-15 09:13   32,356   ---------   C:\WINDOWS\system32\pusbfd1.sys
2008-09-13 18:44 . 2002-10-15 09:13   26,629   ---------   C:\WINDOWS\system32\pusbfd2.vxd
2008-09-13 18:42 . 2004-08-03 10:08   3,125,248   --a------   C:\WINDOWS\system32\hpqPres.dll
2008-09-13 18:42 . 2004-08-03 10:33   221,184   --a------   C:\WINDOWS\system32\cpqinfo.dll
2008-09-13 18:42 . 2004-07-30 08:33   65,536   --a------   C:\WINDOWS\system32\hpqactn.dll
2008-09-13 18:42 . 2004-04-13 10:30   32,768   --a------   C:\WINDOWS\system32\eabhbrn8.dll
2008-09-13 18:42 . 2003-08-17 23:57   7,080   -r-------   C:\WINDOWS\system32\drivers\eabfiltr.sys
2008-09-13 18:42 . 2003-06-05 21:46   5,220   -r-------   C:\WINDOWS\system32\drivers\eabusb.sys
2008-09-13 18:38 . 2008-09-13 18:38   <DIR>   d--------   C:\Program Files\muvee Technologies
2008-09-13 18:38 . 2008-09-13 18:38   <DIR>   d--------   C:\Program Files\Common Files\muvee Technologies
2008-09-13 18:38 . 2008-09-13 18:38   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-09-13 18:36 . 2003-07-25 07:50   137   --a------   C:\WINDOWS\system32\oeminfo.ini
2008-09-13 18:35 . 2008-09-14 14:21   <DIR>   d--------   C:\Program Files\InterVideo
2008-09-13 18:34 . 2004-05-11 03:48   5,760,056   -ra------   C:\WINDOWS\Blue Sonic.bmp
2008-09-13 18:34 . 2003-01-24 06:27   22,198   -ra------   C:\WINDOWS\system32\OEMLogo.bmp
2008-09-13 18:34 . 2004-01-06 12:00   13,942   -ra------   C:\WINDOWS\accessories.ico
2008-09-13 18:34 . 2004-02-24 09:20   4,286   -ra------   C:\WINDOWS\hpmusic.ico
2008-09-13 18:33 . 2008-09-14 14:17   <DIR>   d--------   C:\Program Files\HPQ
2008-09-13 18:33 . 2003-05-24 05:49   5,760,056   -ra------   C:\WINDOWS\Fractal Blue.bmp
2008-09-13 18:33 . 2003-05-24 05:44   5,760,056   -ra------   C:\WINDOWS\Crystal Rush.bmp
2008-09-13 18:30 . 2008-09-13 18:30   79   --a------   C:\WINDOWS\system32\NVU002.nvu
2008-09-13 17:46 . 2007-11-20 21:03   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-09-13 17:46 . 2008-09-13 17:46   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-09-11 19:16 . 2008-09-13 18:48   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2008-09-11 19:16 . 2008-09-11 19:16   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\InstallShield
2008-09-11 16:45 . 2008-09-22 18:55   <DIR>   d--------   C:\QUARANTINE
2008-09-11 16:36 . 2008-09-11 16:36   <DIR>   d--------   C:\Program Files\Common Files\Cisco Systems
2008-09-11 16:36 . 2008-09-11 16:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-11 16:36 . 2007-10-25 15:06   1,495,552   --a------   C:\WINDOWS\system32\epoPGPsdk.dll
2008-09-11 16:36 . 2007-10-25 15:06   280   --a------   C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-09-11 16:35 . 2008-05-22 20:50   174,952   --a------   C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-11 16:35 . 2008-05-22 20:50   72,936   --a------   C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-11 16:35 . 2008-05-22 20:50   64,232   --a------   C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-09-11 16:35 . 2008-05-22 20:50   52,104   --a------   C:\WINDOWS\system32\drivers\mfetdik.sys
2008-09-11 16:35 . 2008-05-22 20:50   33,960   --a------   C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-11 16:34 . 2008-09-11 16:36   <DIR>   d--------   C:\Program Files\McAfee
2008-09-11 16:34 . 2008-09-11 16:34   <DIR>   d--------   C:\Program Files\Common Files\McAfee
2008-09-08 21:42 . 2008-09-13 18:50   <DIR>   d-a------   C:\hp
2008-09-05 20:28 . 2008-09-21 21:59   722,135   --ahs----   C:\WINDOWS\system32\NpXHNXbc.ini2
2008-08-30 18:56 . 2008-08-30 18:59   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\DeepBurner
2008-08-27 15:26 . 2008-08-27 16:45   <DIR>   d--------   C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 00:38   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-09-24 00:36   ---------   d-----w   C:\Program Files\iPod
2008-09-22 02:18   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 03:20   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-09-15 03:20   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-11 22:01   ---------   d-----w   C:\Program Files\WinFF
2008-09-09 02:22   ---------   d-----w   C:\Program Files\Rhapsody
2008-09-09 01:29   ---------   d-----w   C:\Program Files\E.M. DVD Copy
2008-09-08 01:31   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\DVD Flick
2008-08-30 00:36   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Winff
2008-08-19 19:36   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\ICAClient
2008-08-19 19:19   ---------   d-----w   C:\Program Files\Citrix
2008-08-19 01:36   ---------   d-----w   C:\Program Files\dvdSanta
2008-08-17 03:51   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\dvdcss
2008-08-12 02:13   ---------   d-----w   C:\Program Files\iSofter
2008-08-10 23:09   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SlySoft
2008-08-10 22:14   ---------   d-----w   C:\Program Files\Common Files\AVSMedia
2008-08-10 21:10   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AVS4YOU
2008-08-10 21:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-05 01:21   ---------   d-----w   C:\Program Files\Common Files\HP
.

------- Sigcheck -------

2003-03-31 13:00 516608 2246d8d8f4714a2cedb21ab9b1849abb   C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe   C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe   C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-09-11 16:02 502272 9b1bd82bd0761b5ba986af66d2809c30   C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-07 4730880]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 483328]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2004-04-07 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"VIDC.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
HKLM-Run-iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fmpr7v5j.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 19:15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?

?6?8?1?9??`?

???B?

??B?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-23 19:18:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 01:18:07

Pre-Run: 63,931,068,416 bytes free
Post-Run: 64,030,593,024 bytes free

221 --- E O F --- 2008-09-23 03:39:32

wkdcute04 · « **Reply #11 on:** September 23, 2008, 07:28:42 PM »

2. New Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:02 PM, on 9/23/2008
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.tproxy01.lib.utah.edu/lib/utah/support/plugins/ebraryRdr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185141624015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222129530661&h=a312afe649fccbd8a66277eb5768d4b3/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6687 bytes

Thank you!

evilfantasy · « **Reply #12 on:** September 23, 2008, 07:43:56 PM »

Manually restoring the Internet connection

Looking at the log...let me know how the Internet connection settings go.

wkdcute04 · « **Reply #13 on:** September 24, 2008, 03:00:43 PM »

Oops, I probably wasn't clear. I can log on to the internet, but I can't log in to anything (for example, email or this page), so I can't post anything on this site from my computer. Otherwise I think the internet is okay, but I haven't really checked it.

evilfantasy · « **Reply #14 on:** September 24, 2008, 03:06:05 PM »

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

Open the folder and run Dial-a-fix.exe
2 windows will open. Close the one in the background labeled Restrictive Policies
Check the box in section 1, Empty temp folders.
Check the box in section 2, Fix Windows Installer.
Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
Check all boxes in Section 5, labeled Registration Center.
Click Go
OK any error messages if received, but write them down and post them here.
Restart the computer when done.

How is everything now?

wkdcute04 · « **Reply #15 on:** September 24, 2008, 05:27:28 PM »

Hmmm, I ran Dial and didn't get any errors.

I re-ran SuperAnti, only had a couple of adware tracking cookies as files, and nothing malicious on Malware.

However, I tried connecting to the internet through one of my connections, and the connections now fail (so I can't get through to the internet). Other than that, I'm hoping all of the bad stuff is gone.

Do I need to run Dial again?

evilfantasy · « **Reply #16 on:** September 24, 2008, 05:29:00 PM »

Try resetting your router connection (unplug it for 10 seconds then plug it back in)

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

wkdcute04 · « **Reply #17 on:** September 24, 2008, 08:04:08 PM »

I did both and then restarted my computer, but it still keeps saying that the connection fails when it tries to restore the connection.

evilfantasy · « **Reply #18 on:** September 24, 2008, 11:14:11 PM »

Why is the Operating System information missing from all of the logs? Are you removing it or what?

wkdcute04 · « **Reply #19 on:** September 25, 2008, 10:01:20 AM »

I'm not removing anything, I'm posting whatever log it gives me in my notepad. OS is XP with SP2, I still have the original CD for it since it was an upgrade to the computer.

evilfantasy · « **Reply #20 on:** September 25, 2008, 10:06:17 AM »

Try to reset the browser settings.

Reset settings for Internet Explorer 6

Reset Explorer Settings IE 6

Reset Settings in Internet Explorer 7

Reset Explorer Settings IE 7

wkdcute04 · « **Reply #21 on:** September 25, 2008, 09:55:09 PM »

It worked, I was able to connect!

Is there anything I need to do to make sure everything is off my computer? Keep checking with the SuperAnti and Malware programs?

Thanks for all your help!

evilfantasy · « **Reply #22 on:** September 25, 2008, 10:06:37 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

wkdcute04 · « **Reply #23 on:** September 26, 2008, 08:44:01 PM »

I hope this is good news

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3475 (20080926)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=29942a97464bdd4da321f7fbccd1a21
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-27 02:11:50
# local_time=2008-09-26 08:11:50 (-0700, Mountain Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=205805
# found=0
# scan_time=2820

evilfantasy · « **Reply #24 on:** September 26, 2008, 08:51:07 PM »

Yes that is good news.

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Delete temporary files

Go to:

Start
Run
type: CLEANMGR.EXE
Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

.
Click OK or Enter

----------

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

wkdcute04 · « **Reply #25 on:** October 07, 2008, 04:33:26 PM »

I'm pretty sure it worked, thanks, but I still keep getting alerts from my McAfee virus scan of Generic Trojans that it finds in various places on my computer. My Norton's antivirus program doesn't show anything, but for some reason McAfee is.

evilfantasy · « **Reply #26 on:** October 07, 2008, 04:38:24 PM »

You shouldn't have two antivirus installed. They conflict with each other.

The real-time protection of two antivirus programs may conflict with each other and cause the following:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
3) Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.

Computer Hope Forum

News:

Author Topic: Help! Have Trojan and Spyware, need help removing (or making sure its gone). (Read 11955 times)

wkdcute04

evilfantasy

wkdcute04

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

wkdcute04

evilfantasy

wkdcute04

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

evilfantasy

wkdcute04

evilfantasy