Computer Hope

Software => Computer viruses and spyware => Topic started by: tex328 on January 02, 2009, 01:12:21 AM

Title: BOOT UP from other forum
Post by: tex328 on January 02, 2009, 01:12:21 AM

Ok I posted this topic under software a couple of days ago and was reruted to this forum by broni. Broni had me do somwthings and post a Hijack this log and then found out  my laptop was infected.

Now I went throught the steps to remove malware and have just finished with the superantispyware and here is the log, also my pc info is below. Thanks for the help in advance.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2009 at 02:58 PM

Application Version : 4.24.1004

Core Rules Database Version : 3693
Trace Rules Database Version: 1669

Scan type       : Custom Scan
Total Scan Time : 01:00:32

Memory items scanned      : 431
Memory threats detected   : 0
Registry items scanned    : 6734
Registry threats detected : 34
File items scanned        : 54102
File threats detected     : 2

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\InprocServer32
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\InprocServer32#InprocServer32
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\InprocServer32#ThreadingModel
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ProgID
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\Programmable
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\TypeLib
   HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\VersionIndependentProgID
   HKCR\SearchSettings.BHO.1
   HKCR\SearchSettings.BHO.1\CLSID
   HKCR\SearchSettings.BHO
   HKCR\SearchSettings.BHO\CLSID
   HKCR\SearchSettings.BHO\CurVer
   HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}
   HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}\1.0
   HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}\1.0\0
   HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}\1.0\0\win32
   HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}\1.0\FLAGS
   HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}\1.0\HELPDIR
   C:\PROGRAM FILES\SEARCH SETTINGS\KB127\SEARCHSETTINGS.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKU\S-1-5-21-1454471165-1647877149-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKU\S-1-5-21-1454471165-1647877149-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKU\S-1-5-21-1454471165-1647877149-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKU\S-1-5-21-1454471165-1647877149-839522115-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
   HKCR\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}
   HKCR\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}\ProxyStubClsid
   HKCR\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}\ProxyStubClsid32
   HKCR\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}\TypeLib
   HKCR\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}\TypeLib#Version

Trojan.Media-Codec/V4
   C:\Program Files\Video Add-on
   HKU\S-1-5-21-1454471165-1647877149-839522115-1003\Software\Online Add-on
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#DisplayName






Field   Value
Computer   
Operating System   Microsoft Windows XP Professional
OS Service Pack   Service Pack 3
DirectX   4.09.00.0904 (DirectX 9.0c)

   
Motherboard   
CPU Type   Mobile AMD Turion 64 ML-34, 1800 MHz (9 x 200)
Motherboard Name   Hewlett-Packard Presario V2000 (EP379UA#ABA)
Motherboard Chipset   ATI Radeon Xpress 200M, AMD Hammer
System Memory   896 MB  (PC2700 DDR SDRAM)
BIOS Type   Phoenix (08/30/06)
   
Display   
Video Adapter   ATI RADEON XPRESS 200M  (128 MB)
Video Adapter   ATI RADEON XPRESS 200M  (128 MB)
3D Accelerator   ATI Radeon Xpress 200M (RS480M)
Monitor   Plug and Play Monitor
Monitor   Generic Television
   
Multimedia   
Audio Adapter   ATI SB400 - AC'97 Audio Controller
   
Storage   
IDE Controller   Standard Dual Channel PCI IDE Controller
IDE Controller   Texas Instruments PCIxx21 Integrated FlashMedia Controller
Disk Drive   ST9100822A  (100 GB, 5400 RPM, Ultra-ATA/100)
Optical Drive   TSSTcorp CD/DVDW TS-L532M  (DVD+R9:2.4x, DVD+RW:8x/4x, DVD-RW:8x/4x, DVD-ROM:8x, CD:24x/10x/24x DVD+RW/DVD-RW)
SMART Hard Disks Status   OK
   
Partitions   
C: (NTFS)   95385 MB (48291 MB free)
   
Input   
Keyboard   Quick Launch Buttons
Mouse   Synaptics PS/2 Port TouchPad
   
Network   
Network Adapter   Realtek RTL8139/810x Family Fast Ethernet NIC  (10.5.12.93)
Modem   AC97 Data Fax SoftModem with SmartCP
   
Peripherals   
USB1 Controller   ATI SB400 - USB Controller
USB1 Controller   ATI SB400 - USB Controller
USB2 Controller   ATI SB400 - USB 2.0 Controller
Battery   Microsoft AC Adapter
Battery   Microsoft ACPI-Compliant Control Method Battery
 

Title: Re: BOOT UP from other forum
Post by: tex328 on January 02, 2009, 03:27:50 AM

Ok, I have finished ALL of the insructoins listed and have attached the files to the post instead of having a 300 page to look at.

Again thanks for the help and I look foward from reading everyones posts.

[attachment deleted by admin]

Title: Re: BOOT UP from other forum
Post by: CBMatt on January 04, 2009, 05:11:55 PM

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Title: Re: BOOT UP from other forum
Post by: tex328 on January 05, 2009, 02:29:13 AM

Ok, I have done the combofix and hijackthis again and they are attached. Thanks for the further assistance. I look foward to the next step in this process. :)

[attachment deleted by admin]

Title: Re: BOOT UP from other forum
Post by: CBMatt on January 05, 2009, 04:59:38 PM

I don't see anymore infections.  How are things running now?