Badly Infected Computer (unauthorized access on Paypal account! Help!)

**Renorei** · 2010-08-11, 18:45

Internet's working much better now, yes. But when I first boot my computer up and click Firefox, sometimes it takes forever for the browser window to pop up. And when I first get on the internet, it often takes it a while to "get going" so to speak, but once it gets going it runs fine.

I think that ComboFix log I posted is the right one. It has today's date, it's just not the first date listed.

ComboFix 10-08-10.06 - Rebel 08/11/2010 10:32:18.3.2 - x86

In case I'm wrong, here's the log located at ComboFix.txt. The only problem is I ran ComboFix a couple of times today (I was trying to get it to offer to analyze those files again) so this log isn't going to show those files as deletions.

ComboFix 10-08-10.06 - Rebel 08/11/2010 11:17:13.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1473 [GMT -4:00]
Running from: c:\documents and settings\Rebel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rebel\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-10 21:35 . 2010-08-10 21:35 -------- d-----w- c:\documents and settings\Rebel\Application Data\U3
2010-08-10 19:03 . 2010-08-10 19:03 388096 ----a-r- c:\documents and settings\Rebel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-04 05:19 . 2010-08-04 05:19 -------- d-----w- c:\program files\ERUNT
2010-07-30 00:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-30 00:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-30 00:52 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-30 00:52 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-30 00:52 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-30 00:52 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-30 00:52 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-30 00:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-29 22:13 . 2010-07-29 22:13 -------- d-----w- c:\program files\Trend Micro
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\program files\Alwil Software
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 21:30 . 2007-09-13 16:14 -------- d-----w- c:\program files\HP
2010-08-10 21:12 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-08-10 21:07 . 2010-06-26 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2010-08-10 21:07 . 2007-07-23 23:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 17:25 . 2007-07-24 17:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 00:49 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\Rebel\Application Data\OnlineArmor
2010-07-29 22:07 . 2007-07-23 23:05 53104 ----a-w- c:\documents and settings\Rebel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-29 21:34 . 2009-09-07 23:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-29 21:26 . 2005-08-24 11:14 -------- d-sh--r- c:\documents and settings\Rebel\Application Data\Winlog
2010-07-23 01:14 . 2009-09-12 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-06-28 02:54 . 2010-06-28 02:54 -------- d-----w- c:\program files\Avanquest update
2010-06-28 02:08 . 2010-06-28 02:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2010-06-26 13:05 . 2009-12-15 16:29 -------- d-----w- c:\program files\Minefield
2010-06-26 03:57 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-06-26 03:55 . 2009-03-14 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:51 . 2009-12-22 04:11 -------- d-----w- c:\documents and settings\Rebel\Application Data\mIRC
2010-06-02 20:31 . 2010-06-02 20:31 45024 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-28 11:34 . 2010-05-28 11:34 503808 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcp71.dll
2010-05-28 11:34 . 2010-05-28 11:34 499712 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\jmc.dll
2010-05-28 11:34 . 2010-05-28 11:34 348160 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcr71.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-10_18.52.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 15:03 . 2010-08-11 15:03 16384 c:\windows\temp\Perflib_Perfdata_4ac.dat
+ 2007-04-17 05:45 . 2009-08-06 23:24 44768 c:\windows\system32\wups2.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-08-10 18:54 . 2009-08-06 23:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-08-10 18:54 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 71448 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 71448 c:\windows\system32\perfc009.dat
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 441422 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 441422 c:\windows\system32\perfh009.dat
+ 2007-04-17 05:43 . 2009-08-06 23:23 215920 c:\windows\system32\muweb.dll
+ 2007-07-25 13:11 . 2009-08-06 23:23 274288 c:\windows\system32\mucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-08-10 19:03 . 2010-08-10 19:03 1094656 c:\windows\Installer\ace31.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-31 136176]
"Windows Java Runtime"="c:\documents and settings\Rebel\java.jar" [2010-07-23 18160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\desktop\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-01 13:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Desktop\\a-squared Free\\a2service.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2010 8:53 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/8/2009 10:14 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/8/2009 10:14 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/8/2009 10:14 PM 28872]
R2 a2free;a-squared Free Service;c:\desktop\a-squared Free\a2service.exe [3/8/2009 10:13 PM 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2010 8:53 PM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/8/2009 10:14 PM 1402568]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys --> c:\windows\system32\DRIVERS\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys --> c:\windows\system32\DRIVERS\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys --> c:\windows\system32\DRIVERS\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys --> c:\windows\system32\DRIVERS\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys --> c:\windows\system32\DRIVERS\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys --> c:\windows\system32\DRIVERS\PTUMWVsp.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/8/2009 10:14 PM 3321032]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}]
c:\documents and settings\Rebel\Application Data\svchost.exe [BU]
.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003Core.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003UA.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rebel\Application Data\Mozilla\Firefox\Profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 11:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-11 11:24:35
ComboFix-quarantined-files.txt 2010-08-11 15:24
ComboFix2.txt 2010-08-11 14:59
ComboFix3.txt 2010-08-11 14:38
ComboFix4.txt 2010-08-10 18:56

Pre-Run: 77,776,019,456 bytes free
Post-Run: 77,760,843,776 bytes free

- - End Of File - - 9BAD788FF78A81D0CFC16EFB114F8F56

**ken545** · 2010-08-11, 18:58

Please dont run CF on your own anymore, it could damage your system if not run correctly.

Reboot your system and then let me know how things are running in general

**Renorei** · 2010-08-11, 20:08

It is running better. It takes it a while to get going and it takes a while to load pages, but it's definitely running better than before we started working on it. But it's not as fast as it was, say, 6 months ago.

**ken545** · 2010-08-11, 22:03

OK, remember what I said about Combofix, the copy you have will stop working in a few days and if you redownload and run it on your own, this forum, myself and the author sUbs will not be responsible if you damage your system.

Run a free online virus scanner to make sure we didn't miss anything.

Please run this free online virus scanner from ESET

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

**Renorei** · 2010-08-13, 07:00

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=066484a16ac93e429525b6286fe32c3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-13 04:36:24
# local_time=2010-08-13 12:36:24 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1141603 1141603 0 0
# compatibility_mode=768 16777215 100 0 1149333 1149333 0 0
# compatibility_mode=6401 16777214 100 100 0 51598452 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55218
# found=31
# cleaned=0
# scan_time=4576
C:\Documents and Settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\43\556445eb-7b6a17af probably a variant of Win32/Agent.DYXWUMY trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\43\6d41a16b-114e6675 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\61\69bc18bd-7d12cf2e multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Rebel\Desktop\HHHUUUUUUUURRRRRRRR\RecentThings\WARRIORS\Spywarefighters\SmitfraudFix\Process.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lluuiaii.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.bat.vir MSIL/Autorun.N worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.vbs.vir MSIL/Lolmehot.E worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\simuwjmx.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wdbxuuef.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP765\A0147607.exe Win32/Shutdown.NAA application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP784\A0151175.exe a variant of MSIL/Injector.Q trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP784\A0151176.exe a variant of MSIL/Injector.Q trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP785\A0151187.exe a variant of Win32/Injector.CMC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156510.exe a variant of Win32/Injector.BEF trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156517.exe a variant of Win32/Injector.CMC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156518.exe a variant of MSIL/Injector.E trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156520.exe Win32/AutoRun.Agent.WW worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156521.vbs MSIL/Autorun.Agent.A worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156522.exe a variant of Win32/Injector.CLX trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156524.exe a variant of Win32/Injector.CMC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156558.vbs MSIL/Autorun.Agent.A worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156790.vbs MSIL/Lolmehot.E worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0156791.bat MSIL/Autorun.N worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP786\A0159128.vbs MSIL/Autorun.Agent.A worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159619.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159620.bat MSIL/Autorun.N worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159621.vbs MSIL/Lolmehot.E worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159622.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159624.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{362CA220-4197-4C6B-8803-D7823399063A}\RP787\A0159629.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

**ken545** · 2010-08-13, 13:07

What ESET found where bad entries in your Windows System Restore Program, the files in Qoobox are backups of what Combofix removed and also some bad files in your Java Cache folder.

When we're do we will remove CF and Qoobox will all be removed along with it

This will clear your Java Cache
1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial <-- If you need it

**Renorei** · 2010-08-13, 15:39

Okay, I've done all that.

Should I run the scanner again (or another scanner) to double-check that all is well?

And also, what to do about those "-crack.exe" files? And when would be a good time for me to get Windows Service Pack 3?

Also, I'm using Avast! as my anti-virus software. I need to start using another one for spyware, malware, and adware, correct? What do you recommend? I used to use Tea Timer but it really got on my nerves, always asking questions (which wouldn't bother me, it's just that I never understood if something was good or bad so I was always afraid to answer). I just need something effective that won't use up my computer's limited resources and will just do the job quietly.

**ken545** · 2010-08-13, 16:37

Why don't you do this, these cracked files are just set up files and there in your download folder, why don't you just empty out your download folder

c:\documents and settings\rebel\my documents\downloads <--Just delete everything inside this folder but not the folder itself, leave it all in the Recycle Bin for a day or so . I think they where just put there by malware, whatever you do don't run the setup with any of them.

c:\documents and settings\rebel\my documents\downloads\adobe-crack.exe
c:\documents and settings\rebel\my documents\downloads\alwil software-crack.exe
c:\documents and settings\rebel\my documents\downloads\ati technologies-crack.exe
c:\documents and settings\rebel\my documents\downloads\audacity-crack.exe
c:\documents and settings\rebel\my documents\downloads\audible-crack.exe
c:\documents and settings\rebel\my documents\downloads\avanquest update-crack.exe
c:\documents and settings\rebel\my documents\downloads\bittorrent-crack.exe
c:\documents and settings\rebel\my documents\downloads\broadcom-crack.exe
c:\documents and settings\rebel\my documents\downloads\common files-crack.exe
c:\documents and settings\rebel\my documents\downloads\complus applications-crack.exe
c:\documents and settings\rebel\my documents\downloads\cricket broadband connect-crack.exe
c:\documents and settings\rebel\my documents\downloads\cyberlink-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell computer-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell-crack.exe
c:\documents and settings\rebel\my documents\downloads\divx-crack.exe
c:\documents and settings\rebel\my documents\downloads\dna-crack.exe
c:\documents and settings\rebel\my documents\downloads\hp-crack.exe
c:\documents and settings\rebel\my documents\downloads\installshield installation information-crack.exe
c:\documents and settings\rebel\my documents\downloads\intel-crack.exe
c:\documents and settings\rebel\my documents\downloads\internet explorer-crack.exe
c:\documents and settings\rebel\my documents\downloads\jasc software inc-crack.exe
c:\documents and settings\rebel\my documents\downloads\java-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft activesync-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft capicom 2.1.0.2-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft frontpage-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft office-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft silverlight-crack.exe
c:\documents and settings\rebel\my documents\downloads\minefield-crack.exe
c:\documents and settings\rebel\my documents\downloads\movie maker-crack.exe
c:\documents and settings\rebel\my documents\downloads\mozilla firefox-crack.exe
c:\documents and settings\rebel\my documents\downloads\msbuild-crack.exe
c:\documents and settings\rebel\my documents\downloads\msecache-crack.exe
c:\documents and settings\rebel\my documents\downloads\msn gaming zone-crack.exe
c:\documents and settings\rebel\my documents\downloads\msxml 6.0-crack.exe
c:\documents and settings\rebel\my documents\downloads\netmeeting-crack.exe
c:\documents and settings\rebel\my documents\downloads\online services-crack.exe
c:\documents and settings\rebel\my documents\downloads\outlook express-crack.exe
c:\documents and settings\rebel\my documents\downloads\pantech-crack.exe
c:\documents and settings\rebel\my documents\downloads\quicktime-crack.exe
c:\documents and settings\rebel\my documents\downloads\reference assemblies-crack.exe
c:\documents and settings\rebel\my documents\downloads\roxio-crack.exe
c:\documents and settings\rebel\my documents\downloads\tall emu-crack.exe
c:\documents and settings\rebel\my documents\downloads\uninstall information-crack.exe
c:\documents and settings\rebel\my documents\downloads\videolan-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows media player-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows nt-crack.exe
c:\documents and settings\rebel\my documents\downloads\windowsupdate-crack.exe
c:\documents and settings\rebel\my documents\downloads\winrar-crack.exe
c:\documents and settings\rebel\my documents\downloads\xerox-crack.exe
c:\documents and settings\rebel\my documents\downloads\yahoo!-crack.exe
c:\program files\jasc software inc\paint shop pro 8\bump maps\cracked desert.pspimage <--Delete these
c:\program files\jasc software inc\paint shop pro 8\patterns\cracked paint.pspimage
c:\program files\jasc software inc\paint shop pro 8\picture frames\black crackle.pspframe

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Avast is fine, a nice program. I am going to link you to some free tools to install. The TeaTimer in Spybot does get in your face at times, what you can do is keep Spybot but just don't enable the teatimer, one of the free programs is SpyWareBlaster and does the same thing as the teatimer but not in your face.

I think your clear to go ahead and install Service Pack 3, you can do that by opening IE and to to Tools > Windows Update and download and install all critical updates including SP3 and IE 8, do not install any driver files for other programs

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 21, if not proceed with the instructions.

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 21 <--The wording is confusing but this is what you need

Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
WinPatrol Keep this fine program activated to block a lot of threats
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

**Renorei** · 2010-08-13, 20:56

Alright Ken, I downloaded all that stuff and I feel much better about my computer now. It's still a bit slow on startup but I suspect that's due to its age, hard drive size, and amount of memory. I'll read the guides you posted. Is there anything else I need to do?

**ken545** · 2010-08-13, 21:48

Looks like your free to go.

You may want to post in our sister site in the windows forum, we all work together, you can link them to this thread if you wish. Just tell them you had some bad infections that we cleaned but your system is a bit slow, they can go through the start up list and maybe sort out a few things that are slowing it down.

http://forums.whatthetech.com/index.php?showforum=119

You have 2GBs of memory which more than adequate for this system, it looks like you have half your hard drive full which is ok but you may have a lot of stuff that you can give the boot to like old programs you dont use anymore, rule of thumb with software you installed, if you haven't used it in 6 months than get rid of it.

Ken

Thread: Badly Infected Computer (unauthorized access on Paypal account! Help!)

Thread Tools

Display

Posting Permissions