in need of help with malware removal

[oldman960]

Hi mla34,

Try running it this way. Make sure combofix is on your desktop.

Click start > run. Copy and paste this into the run box and click ok

combofix /nombr

[mla34]

Ok, OM...this time it worked...not sure why there was a problem doing it the other way. Here are the results....the only fyi is that I had to reconnect to the internet and got a msg telling me that IE was not the default browser and did I want to make it so....not sure why that would have changed...
Anyway, let me know what you think the next step should be...thanks!

ComboFix 12-04-16.02 - Home 04/17/2012 16:34:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.469 [GMT -4:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\EventSystem.log
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-17 20:32 . 2012-04-17 20:32 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\MpKsl942fd50b.sys
2012-04-17 19:45 . 2012-04-17 19:45 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\offreg.dll
2012-04-17 17:00 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\mpengine.dll
2012-04-10 18:41 . 2012-04-10 18:41 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes
2012-04-10 18:38 . 2012-04-10 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-10 18:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 18:38 . 2012-04-10 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-09 21:44 . 2012-04-10 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-04-09 21:44 . 2012-04-09 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-09 21:36 . 2012-04-09 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2012-04-02 16:34 . 2012-04-02 16:34 -------- d-----w- c:\program files\Microsoft Silverlight
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 19:25 . 2012-04-12 19:25 3233 ----a-w- C:\attach.zip
2012-03-14 02:15 . 2011-11-23 14:35 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2010-04-05 19:57 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2010-04-05 19:57 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2010-04-05 19:57 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-04-05 21:27 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Home\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKsl942fd50b;MpKsl942fd50b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\MpKsl942fd50b.sys [4/17/2012 4:32 PM 29904]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL942FD50B
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-04-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-04-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-17 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-04-17 16:43:54
ComboFix-quarantined-files.txt 2012-04-17 20:43
.
Pre-Run: 20,608,397,312 bytes free
Post-Run: 21,029,093,376 bytes free
.
- - End Of File - - 1DEBB42C02E02C2FC825EEC0BC63AD7E

[oldman960]

Hi mla34,

When combofix runs it sets a few things back to default so what you saw was normal. Combofix and DDs seem to have had a problem with the MBR. That happens some times.

Let's have another look with aswMBR. Run it like you did last time and post the log along with the mbr.dat that will be produced. The mbr.dat will need to be attached.

[mla34]

Here you go....
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-18 10:04:43
-----------------------------
10:04:43.984 OS Version: Windows 5.1.2600 Service Pack 3
10:04:43.984 Number of processors: 2 586 0xF02
10:04:43.984 ComputerName: 8G77SC1 UserName: Home
10:04:44.875 Initialize success
10:08:35.062 AVAST engine defs: 12041800
10:10:26.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:10:26.484 Disk 0 Vendor: ST94813AS 8.04 Size: 38154MB BusType: 3
10:10:26.484 Disk 0 MBR read successfully
10:10:26.484 Disk 0 MBR scan
10:10:26.562 Disk 0 Windows XP default MBR code
10:10:26.578 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
10:10:26.578 Disk 0 scanning sectors +78140160
10:10:27.093 Disk 0 scanning C:\WINDOWS\system32\drivers
10:10:49.609 Service scanning
10:10:59.453 Service MpKsl9982ab46 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B4B1E6A6-FAD5-4857-9A60-E4BCF22CA4D5}\MpKsl9982ab46.sys **LOCKED** 32
10:11:11.250 Modules scanning
10:11:17.703 Disk 0 trace - called modules:
10:11:17.734 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:11:17.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d44030]
10:11:17.750 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\00000074[0x86d0b9e8]
10:11:17.750 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d0bd98]
10:11:18.140 AVAST engine scan C:\WINDOWS
10:11:37.921 AVAST engine scan C:\WINDOWS\system32
10:14:33.500 AVAST engine scan C:\WINDOWS\system32\drivers
10:14:54.937 AVAST engine scan C:\Documents and Settings\Home
10:15:18.890 File: C:\Documents and Settings\Home\Application Data\Office Genuine Advantage\Office Genuine Advantage\afxjahc.dll **INFECTED** Win32:Trojan-gen
10:21:56.375 AVAST engine scan C:\Documents and Settings\All Users
10:22:28.437 Scan finished successfully
10:37:39.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Home\Desktop\MBR.dat"
10:37:39.984 The log file has been saved successfully to "C:\Documents and Settings\Home\Desktop\aswMBR2.txt"

[oldman960]

Hi mla34,

I think we can clean up the tools as your computer appears to be clean.

From your desktop, please delete, if present

• any notepads/logs that we created
• TDSSKiller
• aswMBR.exe
• mbr.dat
• mbr.zip
• DDS.scr

You can also delete this file C:\TDSSKiller.[Version]_[Date]_[Time]_log.txt along with this folder C:\TDSSKiller_Quarantine

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK

Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

You can keep TFC, use it occasionally to clean out the temp files.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates and upgrades

Your java is out of date. Click your start button, open Control panel.

• Locate the Java icon (it looks like a coffee cup)
• double click it to open it
• click the Update tab
• Click update now

Decline the Ask Tool bar when it's offered during the update.

After the java is updated, reboot your computer if not prompted to.

Next, clear the java cache

To clear the Java Plug-in cache:

• Click Start > Control Panel.
• Double-click the Java icon in the control panel.
• On the General tab, Click Settings under Temporary Internet Files.
• On the Temporary Files Settings screen, Click Delete Files.
• check all boxes
• Click OK

Adobe Reader

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources. If you chose to use FoxIt decline the Foxit Toolbar offered during the install.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 9.5.0 first. Be sure to move any PDF documents to another folder first though.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)

You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen option Click your start button > Control Panel > System > Automatic updates tab

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Take care

[mla34]

Hi, OM,
You gave me quite a bit of homework...lol...but it's all done. I can't thank you enough for your professional help and guidance with the issues on this laptop and I certainly could not have done all of this without your help! All seems to be fine now! I will be making another donation to show my appreciation! Thanks again!

[oldman960]

Hi mla34,

You are more than welcome. And Thank You!

Take care, keep safe.

[oldman960]

Since this issue appears to be resolved ... this Topic has been closed.