View Full Version : Yet another virtumone
This is a friends PC. It runs slow, and connects to may bogus web sites with pop-ups. Ran Spybot in normal and safe mode and removed several items, including something called "hotbar" which had an icon in the system tray.
Thanks for helping!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:32 PM, on 9/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [fcfa8db8] rundll32.exe "C:\WINDOWS\System32\atvmlbnw.dll",b
O4 - HKLM\..\Run: [BMffc9be24] Rundll32.exe "C:\WINDOWS\System32\yocpgfam.dll",s
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [A00F327F5E.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F327F5E.exe
O4 - HKCU\..\Run: [A00F313F6C.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F313F6C.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: ecdrqb.dll,C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 6130 bytes
Hello novirtu
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [fcfa8db8] rundll32.exe "C:\WINDOWS\System32\atvmlbnw.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\System32\yocpgfam.dll",s
O4 - HKCU\..\Run: [A00F327F5E.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F327F5E.exe
O4 - HKCU\..\Run: [A00F313F6C.exe] C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\_A00F313F6C.exe
O20 - AppInit_DLLs: ecdrqb.dll,C:\WINDOWS\System32\DBnetlib32.dll
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
[b]Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Hello ken545,
Thanks for helping!
I'm not sure what "extra note" you referred to, but I rebooted the system when prompted to do so. After the reboot, I got a message from RUNDLL that C:\WINDOWS\system32\yocpgfam.dll was not found.
The logs will be in my next post.
ken545,
Looks like I'm still getting unsolicited pop-ups. Here are the logs.
Malwarebytes' Anti-Malware 1.28
Database version: 1143
Windows 5.1.2600 Service Pack 1
9/12/2008 5:57:44 PM
mbam-log-2008-09-12 (17-57-44).txt
Scan type: Quick Scan
Objects scanned: 42802
Time elapsed: 2 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 24
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 61
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\atvmlbnw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\opnlLCvT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ecdrqb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\rqRKBQkK.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\__c00F23F1.dat (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c9fa9f4-fb1e-4644-b615-be1bcaf0e4b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c9fa9f4-fb1e-4644-b615-be1bcaf0e4b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{638d7b07-2306-4c21-b5fd-7b9b8f9c8946} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{638d7b07-2306-4c21-b5fd-7b9b8f9c8946} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9914b4d2-f63e-48c1-aba6-635153835dac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrkbqkk (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9914b4d2-f63e-48c1-aba6-635153835dac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00f23f1 (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9914b4d2-f63e-48c1-aba6-635153835dac} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmffc9be24 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnllcvt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnllcvt -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\ecdrqb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\opnlLCvT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\TvCLlnpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TvCLlnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rqRKBQkK.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\atvmlbnw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wnblmvta.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddcAstUo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hhrlosiv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\knfwyfyl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iyjdqawu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\merliaew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\qoivcsyc.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ouaopg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rfbdumar.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pmnLfefc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bamokamn.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\betjotwp.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fvlzsk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ljJAQKAq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\milokcre.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wvUkLCrq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xgjptqks.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xssgfwmk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yeyqvebl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\flqjwgvb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fluqlvco.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iifCtsrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iiffCrqO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iiffDuTJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vihjwwof.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill & Mary\Local Settings\Temporary Internet Files\Content.IE5\R1Y1OAYV\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill & Mary\Local Settings\Temporary Internet Files\Content.IE5\WZ28Z04R\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00F23F1.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\yocpgfam.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\__c0016484.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00D3184.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00ECCE.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00FF570.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tuvUKBUN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\urqpmMCs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMffc9be24.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMffc9be24.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0024242.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00384DC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c003DD08.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c004AF66.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c005006F.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c005C7DB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c008C4CA.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0093284.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0096C8C.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00A2F19.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00AC4CB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00D5A71.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00F0E68.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00F2DB1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:46 PM, on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8D97175F-7F22-4560-A8C0-037199C70543} - C:\WINDOWS\System32\yayyYSLF.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\DBnetlib32.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5994 bytes
Hello,
The error your getting is because a file belonging to a trojan has been deleted but it still wants to run, it will go away as we get into the cleaning.
Remove these with HJT.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {8D97175F-7F22-4560-A8C0-037199C70543} - C:\WINDOWS\System32\yayyYSLF.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\DBnetlib32.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Ken,
Wow, thanks for the quick reply! I think we're making progress; I see that the windows update tray icon has returned :-) I'm not getting IE pop-ups, but I currently have the machine behind a firewall that is blocking access to all but this web site.
ComboFix 08-09-12.03 - Bill & Mary 2008-09-12 19:36:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.86 [GMT -7:00]
Running from: C:\Documents and Settings\Bill & Mary\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\AHNTAcfe.ini
C:\WINDOWS\SYSTEM32\AHNTAcfe.ini2
C:\WINDOWS\SYSTEM32\AJRXIkkj.ini
C:\WINDOWS\SYSTEM32\AJRXIkkj.ini2
C:\WINDOWS\SYSTEM32\bdgOoUvw.ini
C:\WINDOWS\SYSTEM32\bdgOoUvw.ini2
C:\WINDOWS\system32\cbpubpwn.dll
C:\WINDOWS\system32\cpjndbld.dll
C:\WINDOWS\system32\dhyeasnh.dll
C:\WINDOWS\system32\djelyffh.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\ebdbslsq.dll
C:\WINDOWS\system32\euqabi.dll
C:\WINDOWS\system32\ferthncs.ini
C:\WINDOWS\SYSTEM32\ffhNnnmp.ini
C:\WINDOWS\SYSTEM32\ffhNnnmp.ini2
C:\WINDOWS\system32\fknvstcn.dll
C:\WINDOWS\SYSTEM32\FLSYyyay.ini
C:\WINDOWS\SYSTEM32\FLSYyyay.ini2
C:\WINDOWS\system32\FM20ENU32.dll
C:\WINDOWS\system32\fqcdncub.ini
C:\WINDOWS\SYSTEM32\frisfpws.ini
C:\WINDOWS\SYSTEM32\gQBHgfhk.ini
C:\WINDOWS\SYSTEM32\gQBHgfhk.ini2
C:\WINDOWS\system32\gsfqmotq.dll
C:\WINDOWS\SYSTEM32\hgPsBJlm.ini
C:\WINDOWS\SYSTEM32\hgPsBJlm.ini2
C:\WINDOWS\system32\hhbckeom.dll
C:\WINDOWS\system32\huywgwmx.dll
C:\WINDOWS\SYSTEM32\ihddbgxb.ini
C:\WINDOWS\system32\inbhpt.dll
C:\WINDOWS\system32\kpdaybjx.ini
C:\WINDOWS\system32\lewbaqfy.dll
C:\WINDOWS\system32\lpwknnrh.dll
C:\WINDOWS\system32\lxquyu.dll
C:\WINDOWS\SYSTEM32\moYIkUvw.ini
C:\WINDOWS\SYSTEM32\moYIkUvw.ini2
C:\WINDOWS\SYSTEM32\MpWaGfhk.ini
C:\WINDOWS\SYSTEM32\MpWaGfhk.ini2
C:\WINDOWS\SYSTEM32\OpVwvyxx.ini
C:\WINDOWS\SYSTEM32\OpVwvyxx.ini2
C:\WINDOWS\SYSTEM32\opYJmUtv.ini
C:\WINDOWS\SYSTEM32\opYJmUtv.ini2
C:\WINDOWS\SYSTEM32\pcqcugsb.ini
C:\WINDOWS\SYSTEM32\qvemwsrx.ini
C:\WINDOWS\system32\rpjwvyan.dll
C:\WINDOWS\system32\rsphorcb.dll
C:\WINDOWS\system32\sigpsinf.ini
C:\WINDOWS\system32\smueaq.dll
C:\WINDOWS\system32\svlpxg.dll
C:\WINDOWS\SYSTEM32\sYaacfhk.ini
C:\WINDOWS\SYSTEM32\sYaacfhk.ini2
C:\WINDOWS\system32\tbprvbhc.dll
C:\WINDOWS\system32\tnnbsd.dll
C:\WINDOWS\SYSTEM32\TuCLmnnn.ini
C:\WINDOWS\SYSTEM32\TuCLmnnn.ini2
C:\WINDOWS\SYSTEM32\UuFMoXyb.ini
C:\WINDOWS\SYSTEM32\UuFMoXyb.ini2
C:\WINDOWS\SYSTEM32\vDMUBJlm.ini
C:\WINDOWS\SYSTEM32\vDMUBJlm.ini2
C:\WINDOWS\SYSTEM32\WHhgQqru.ini
C:\WINDOWS\SYSTEM32\WHhgQqru.ini2
C:\WINDOWS\SYSTEM32\XIhgQqss.ini
C:\WINDOWS\SYSTEM32\XIhgQqss.ini2
C:\WINDOWS\SYSTEM32\xqjlwgmj.ini
C:\WINDOWS\system32\xtxudpsd.dll
C:\WINDOWS\system32\yvarqcca.ini
C:\WINDOWS\system32\yxvtec.dll
C:\WINDOWS\system32\zwdnrk.dll
C:\xcrashdump.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSREST.SYS
((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
.
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Documents and Settings\Bill & Mary\Application Data\Malwarebytes
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-12 17:50 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-12 17:50 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-11 18:44 . 2008-09-11 18:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-11 18:23 . 2008-09-11 18:23 126,976 --a------ C:\WINDOWS\SYSTEM32\DBnetlib32.dll
2008-09-10 22:52 . 2003-10-20 19:34 <DIR> d-------- C:\Documents and Settings\Administrator.BILL\WINDOWS
2008-09-10 22:52 . 2003-10-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator.BILL\Application Data\Sonic
2008-09-10 22:52 . 2008-09-10 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.BILL
2008-09-10 21:16 . 2008-09-10 21:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-10 21:16 . 2008-09-10 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 23:57 . 2008-09-09 23:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-09 23:57 . 2008-09-09 23:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-09 20:37 . 2003-10-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-09-09 20:37 . 2008-09-09 21:07 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-09-09 18:17 . 2008-09-09 21:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 18:17 . 2008-09-10 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 18:13 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\SYSTEM32\PowerToysLicense.rtf
2008-09-09 18:03 . 2008-09-09 18:03 <DIR> d-------- C:\Program Files\Iarsn
2008-09-09 18:03 . 2006-10-24 16:29 17,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Tsknf700.sys
2008-09-09 17:52 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-09-09 17:52 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 23:23 --------- d-----w C:\Program Files\America Online 8.0
2008-07-31 20:59 1,481,097 --sha-w C:\WINDOWS\SYSTEM32\xkunnxie.tmp
2008-07-08 21:41 118,784 ----a-w C:\WINDOWS\SYSTEM32\fldrclnr32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-20 151597]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 122880]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 200704]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 159744]
"VirusScan Online"="c:\program files\mcafee.com\vso\mcvsshld.exe" [2003-03-21 159744]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.EXE" [2000-06-07 794112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"McRegWiz"="c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-08-21 135168]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 C:\WINDOWS\BCMSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-10-20 36939]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcfa8d17442]
2008-09-11 18:23 126976 C:\WINDOWS\SYSTEM32\DBnetlib32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\DBnetlib32.dll
R1 TSKNF700.SYS;TSKNF700.SYS;C:\WINDOWS\System32\Drivers\TSKNF700.SYS [2006-10-24 17928]
S3 NH;NH;C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe [ ]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{8D97175F-7F22-4560-A8C0-037199C70543} - C:\WINDOWS\System32\yayyYSLF.dll
HKCU-Run-Sonic RecordNow! - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.dellnet.com
R1 -: HKCU-Internet Settings,ProxyOverride = hxxp://localhost;
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 19:40:07
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\DBnetlib32.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\DBnetlib32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LexBceS.exe
C:\WINDOWS\SYSTEM32\Lexpps.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\SYSTEM32\IMAPI.EXE
.
**************************************************************************
.
Completion time: 2008-09-12 19:42:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-13 02:41:59
Pre-Run: 153,968,242,688 bytes free
Post-Run: 153,878,573,056 bytes free
196 --- E O F --- 2007-11-16 02:29:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:34 PM, on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\DBnetlib32.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 6135 bytes
Hello,
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
C:\WINDOWS\SYSTEM32\xkunnxie.tmp <--- Delete this
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\WINDOWS\SYSTEM32\DRIVERS\Tsknf700.sys
C:\WINDOWS\SYSTEM32\fldrclnr32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
C:\WINDOWS\SYSTEM32\xkunnxie.tmp <--- Delete this
I deleted that file. There is also a xkunnxie.ini file that was hidden. Should I delete it as well?
C:\WINDOWS\SYSTEM32\DRIVERS\Tsknf700.sys
I believe that is part of TaskInfo (http://www.iarsn.com/taskinfo.html) which I installed before I realized how messed-up the system was :-)
I'll post the reports next...
xkunnxie.ini <-- Delete this one to
Tsknf700.sys <--Thats fine, I got mixed results on it and as long as you installed it its ok
These two I am sure are bad, but always like to doublecheck before we remove them
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 TR/Spy.Gen
Authentium 5.1.0.4 2008.09.13 W32/Heuristic-KPP!Eldorado
Avast 4.8.1195.0 2008.09.13 -
AVG 8.0.0.161 2008.09.13 -
BitDefender 7.2 2008.09.14 -
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.14 DLOADER.Trojan
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6087 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.14 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14332.0 2008.09.13 -
Fortinet 3.113.0.0 2008.09.13 -
GData 19 2008.09.14 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.454 2008.09.13 -
Kaspersky 7.0.0.125 2008.09.14 -
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.14 -
NOD32v2 3440 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.13 -
PCTools 4.4.2.0 2008.09.13 -
Prevx1 V2 2008.09.14 -
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 Mal/Behav-027
Sunbelt 3.1.1633.1 2008.09.13 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.082 2008.09.14 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.13 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.13 -
Webwasher-Gateway 6.6.2 2008.09.13 Trojan.Spy.Gen
Additional information
File size: 126976 bytes
MD5...: 44ce91355fe8a010fd46cc20a02df8dd
SHA1..: c69d4325315faf9fe52e096da573bd14cbb0fd1d
SHA256: 4de09058e0107ae1b174f84c560d70dfd1dda7b525273aad99d2754a4e62bafa
SHA512: 4a82f9b1da05dccb9a7d49f6e5d01742db68b2afb69c975057b7ca76a7f3d588
9b8d472023882eebd7ea21b08f6c2dfbedf427369cbfb31d5cae02e07e9cd841
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10001fad
timedatestamp.....: 0x48c12dd7 (Fri Sep 05 13:02:15 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1370e 0x14000 6.48 bd2565d5b9cdbac29685c34ef97c5813
.rdata 0x15000 0x6099 0x7000 6.19 01b9da7234f3fec043e3affc0615cd9a
.data 0x1c000 0xf38 0x1000 1.99 9c23fa93f4436970b5596ee3e5cc7cb3
.reloc 0x1d000 0x18ca 0x2000 5.56 a06a6e553d179b13b033fd6e2b970200
( 10 imports )
> ntdll.dll: _snprintf, _strnicmp, strlen, tolower, strstr, memcmp, _ui64toa, _itoa, memcpy, _ultoa, _stricmp, _chkstk, _allmul, atoi, memset, _alldiv
> msvcrt.dll: strtok
> WS2_32.dll: -, WSAGetOverlappedResult, WSACreateEvent, WSAIoctl, -, -, -, WSAWaitForMultipleEvents, -, WSASend, WSASocketW, WSARecv, -, -, -, -, -, -
> WININET.dll: InternetCloseHandle, HttpQueryInfoA, InternetOpenUrlA, HttpOpenRequestA, InternetConnectA, HttpAddRequestHeadersA, InternetReadFile, InternetSetOptionA, HttpSendRequestA, InternetOpenA
> KERNEL32.dll: ResetEvent, GetVolumeInformationA, GetWindowsDirectoryA, GetFileTime, HeapSetInformation, HeapFree, SetNamedPipeHandleState, WaitNamedPipeA, HeapAlloc, TransactNamedPipe, HeapCreate, HeapDestroy, GetVersionExA, FreeLibrary, LoadLibraryA, OpenFileMappingA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, ExitProcess, GetFileAttributesA, GetFileAttributesExA, TlsGetValue, CreateEventA, TlsSetValue, TlsAlloc, VirtualFreeEx, OpenProcess, CreateRemoteThread, Process32First, WriteProcessMemory, ProcessIdToSessionId, GetCurrentThreadId, CloseHandle, GetCurrentProcessId, Thread32First, Thread32Next, GetProcAddress, OpenThread, InterlockedIncrement, GetModuleHandleA, InterlockedDecrement, CreateToolhelp32Snapshot, GetLocalTime, SetUnhandledExceptionFilter, OpenMutexA, CreateThread, SystemTimeToFileTime, Sleep, lstrcpyA, GetExitCodeThread, GetCurrentProcess, OpenEventA, LeaveCriticalSection, WaitForSingleObject, ReadFile, InterlockedCompareExchange, GetModuleFileNameW, WaitForMultipleObjects, SetEvent, GetModuleFileNameA, lstrcatA, GetCurrentThread, VirtualFree, FlushFileBuffers, CreateMutexA, GetLastError, WriteFile, OutputDebugStringA, CreateFileA, DuplicateHandle, GetFileSize, lstrcmpiA, EnterCriticalSection, ReleaseMutex, InitializeCriticalSection, lstrlenA, GetFileInformationByHandle, TerminateThread, Process32Next, GetSystemTime, CreateNamedPipeA, PeekNamedPipe, ConnectNamedPipe, DisconnectNamedPipe, SetFilePointer, GetTempPathA, SetEndOfFile, GetTempFileNameA, lstrcmpA, DeleteCriticalSection, FlushInstructionCache, VirtualAlloc, VirtualProtect, GetThreadContext, SuspendThread, SetThreadContext, ResumeThread, VirtualQuery, SetLastError, lstrcmpW, MultiByteToWideChar, GetTickCount, DeleteFileA, CreateProcessA, VirtualAllocEx
> USER32.dll: PeekMessageA, SetForegroundWindow, ShowWindow, WaitForInputIdle, MsgWaitForMultipleObjects, GetSystemMetrics, wsprintfA, DispatchMessageA
> ADVAPI32.dll: RegDeleteKeyA, OpenSCManagerA, CloseServiceHandle, OpenServiceA, RegCreateKeyExA, ChangeServiceConfigA, RegOpenKeyExA, ControlService, RegQueryInfoKeyA, RegEnumKeyExA, RegCloseKey, RegQueryValueExA, RegSetValueExA
> SHELL32.dll: ShellExecuteA
> ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance
> OLEAUT32.dll: -, -
( 2 exports )
DllGetClassObject, EventStartup
Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 -
Authentium 5.1.0.4 2008.09.13 -
Avast 4.8.1195.0 2008.09.13 -
AVG 8.0.0.161 2008.09.13 -
BitDefender 7.2 2008.09.14 -
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.14 -
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6086 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.14 -
F-Secure 8.0.14332.0 2008.09.14 -
Fortinet 3.113.0.0 2008.09.13 -
GData 19 2008.09.14 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.454 2008.09.13 -
Kaspersky 7.0.0.125 2008.09.14 -
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.14 -
NOD32v2 3440 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.13 -
PCTools 4.4.2.0 2008.09.13 -
Prevx1 V2 2008.09.14 -
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 -
Sunbelt 3.1.1633.1 2008.09.13 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.082 2008.09.14 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.13 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.13 -
Webwasher-Gateway 6.6.2 2008.09.13 -
Additional information
File size: 17928 bytes
MD5...: b9075b97e75639239a17a964d1f86484
SHA1..: a8d6d8b009b840759e2f6e0f537a3100fa329644
SHA256: 83c765651b76dd5da8d59e32a863c7f3067adc6724e3a2b10f018bd1272bb5ff
SHA512: 22ebc4376c68980544f69e94da94fda06b2c624f8475eaac01b61810a3b1f5d2
714528de7fbf4a2fd64bbf4f8c64923d3914e3589097affb51d323cd21e36aac
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10e12
timedatestamp.....: 0x453b9714 (Sun Oct 22 16:06:44 2006)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x280 0x1fde 0x1fe0 6.19 1bc45890d68ec2c0ac01c4ee2db3bd81
.data 0x2260 0x108 0x120 2.12 b81d5ed79355b8a26ddaf2cbfe96ac63
INIT 0x2380 0x2d0 0x2e0 5.09 fab41bf37c3d42b4facb20d75d8a9e9c
.rsrc 0x2660 0x380 0x380 3.36 7174631557f1b1361a8a9b72af08c98c
.reloc 0x29e0 0x2f4 0x300 4.94 e73b6986df3924b04c1b4062c5e06008
( 1 imports )
> ntoskrnl.exe: IoCreateDevice, ExFreePool, ExAllocatePoolWithTag, MmMapLockedPages, MmUnlockPages, MmUnmapLockedPages, MmProbeAndLockPages, ObfDereferenceObject, MmCreateMdl, IoGetCurrentProcess, ObReferenceObjectByHandle, ZwQuerySystemInformation, KeServiceDescriptorTable, IoDeleteDevice, IoCreateSymbolicLink, RtlInitUnicodeString, IofCompleteRequest, IoDeleteSymbolicLink, ZwClose, ZwCreateFile, ObQueryNameString, ZwQueryObject, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, ZwDuplicateObject, ProbeForWrite, RtlUnwind
( 0 exports )
Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 TR/Spy.Gen
Authentium 5.1.0.4 2008.09.13 W32/Heuristic-KPP!Eldorado
Avast 4.8.1195.0 2008.09.13 Win32:Spyware-gen
AVG 8.0.0.161 2008.09.13 -
BitDefender 7.2 2008.09.14 Trojan.Generic.528741
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.14 DLOADER.Trojan
eSafe 7.0.17.0 2008.09.11 -
eTrust-Vet 31.6.6086 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.14 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14332.0 2008.09.14 Trojan-Downloader.Win32.Agent.afky
Fortinet 3.113.0.0 2008.09.13 PossibleThreat
GData 19 2008.09.14 Trojan-Downloader.Win32.Agent.afky
Ikarus T3.1.1.34.0 2008.09.13 Trojan-Spy
K7AntiVirus 7.10.454 2008.09.13 -
Kaspersky 7.0.0.125 2008.09.14 Trojan-Downloader.Win32.Agent.afky
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.14 -
NOD32v2 3440 2008.09.13 Win32/Agent.OAF
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.13 -
PCTools 4.4.2.0 2008.09.13 -
Prevx1 V2 2008.09.14 Password Stealer
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 Mal/Behav-027
Sunbelt 3.1.1633.1 2008.09.13 Trojan.Spy.Gen
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.082 2008.09.14 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.13 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.13 -
Webwasher-Gateway 6.6.2 2008.09.13 Trojan.Spy.Gen
Additional information
File size: 118784 bytes
MD5...: 1a6b5624c4980c16cd9bbab7f43b6fc9
SHA1..: 90d1e1c775a54649045f655b7521191bc5097ea2
SHA256: d671d1faf7406faf323d080fac4458ec7070cd4a2ef2937b1cc3593f3127db8d
SHA512: 3d2dd6f23fb9c94e6cab9ce4f9fcbec0f3a8fa7318e9c7c41e373544eca1da43
aff03e05b82313868d44e464884067535c60919d0a9a0b019c85a05ef3bcabab
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10002084
timedatestamp.....: 0x4872808a (Mon Jul 07 20:46:02 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12f60 0x13000 6.58 e75a0354e85877eccf8f79d4057e5b30
.rdata 0x14000 0x5dc9 0x6000 6.72 ab131db3f08f26bf91aecbe8fdbffcb0
.data 0x1a000 0xf38 0x1000 2.14 69d4c416b5f05622a8d0cda0a997bc8a
.reloc 0x1b000 0x1836 0x2000 5.48 f2b9ac7a2f9130475786390e61cde514
( 10 imports )
> ntdll.dll: _ui64toa, _atoi64, strncpy, strlen, _strnicmp, tolower, strstr, memcmp, memcpy, _snprintf, atoi, _itoa, _ultoa, _stricmp, _allmul, _chkstk, memset, _alldiv
> msvcrt.dll: strtok
> WS2_32.dll: -, -, WSARecv, WSASocketW, WSASend, -, -, WSAGetOverlappedResult, -, -, -, WSAWaitForMultipleEvents, -, -, -, -, WSAIoctl, WSACreateEvent
> WININET.dll: HttpAddRequestHeadersA, HttpSendRequestA, InternetOpenA, HttpOpenRequestA, InternetConnectA, HttpQueryInfoA, InternetReadFile, InternetOpenUrlA, InternetCloseHandle
> KERNEL32.dll: GetFileInformationByHandle, GetVolumeInformationA, GetWindowsDirectoryA, GetFileTime, HeapSetInformation, HeapFree, HeapAlloc, HeapCreate, HeapDestroy, GetVersionExA, LoadLibraryA, FreeLibrary, OpenFileMappingA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, ExitProcess, GetFileAttributesExA, CreateEventA, TlsSetValue, TlsAlloc, TlsGetValue, CreateRemoteThread, Process32First, WriteProcessMemory, ProcessIdToSessionId, Process32Next, VirtualAllocEx, VirtualFreeEx, OpenProcess, GetFileAttributesA, DeleteFileA, GetTickCount, CreateProcessA, MultiByteToWideChar, GetCurrentThreadId, CloseHandle, GetCurrentProcessId, Thread32First, Thread32Next, GetProcAddress, OpenThread, InterlockedIncrement, GetModuleHandleA, InterlockedDecrement, CreateToolhelp32Snapshot, OpenMutexA, CreateThread, lstrcpyA, GetCurrentProcess, GetExitCodeThread, LeaveCriticalSection, OpenEventA, WaitForSingleObject, InterlockedCompareExchange, ReadFile, SetEvent, GetModuleFileNameW, WaitForMultipleObjects, lstrcatA, GetCurrentThread, VirtualFree, GetModuleFileNameA, FlushFileBuffers, CreateFileA, WriteFile, CreateMutexA, GetLastError, GetFileSize, lstrcmpiA, DuplicateHandle, InitializeCriticalSection, EnterCriticalSection, lstrlenA, ReleaseMutex, TerminateThread, lstrcmpW, SetUnhandledExceptionFilter, ResetEvent, SystemTimeToFileTime, GetSystemTime, GetLocalTime, Sleep, lstrcmpA, DeleteCriticalSection, SetFilePointer, SetEndOfFile, GetTempPathA, GetTempFileNameA, FlushInstructionCache, VirtualAlloc, VirtualProtect, GetThreadContext, SuspendThread, SetThreadContext, ResumeThread, VirtualQuery, SetLastError
> USER32.dll: GetSystemMetrics, wsprintfA, DispatchMessageA, PeekMessageA, ShowWindow, SetForegroundWindow, MsgWaitForMultipleObjects
> ADVAPI32.dll: ChangeServiceConfigA, ControlService, OpenSCManagerA, OpenServiceA, RegCreateKeyExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyExA, RegQueryInfoKeyA, RegCloseKey, RegQueryValueExA, RegSetValueExA
> SHELL32.dll: ShellExecuteA
> ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance
> OLEAUT32.dll: -, -
( 2 exports )
DllGetClassObject, EventStartup
Ken,
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe is gone. I deleted xkunnxie.ini .
Thanks
Richard
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\SYSTEM32\fldrclnr32.dll
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcfa8d17442]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
I'm having trouble running the script. I keep getting a dialog box that says:
Were you trying to run CFScript?
The name, CFScript appears to be incorrectly spelt.
The file name is CFScript.txt and the text looks like it pasted right.
Drag Combofix to the trash as it may be getting a bit old, its updated almost every day and grab a fresh copy and try the script again. It looks like you typed it correctly.
Download Combofix from any of the links below, and save it to your desktop. <-- Important
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Still no joy. I downloaded from the first link. (Actually I'm downloading everything on a healthy system and writing them to a CD-RW.) I copied it to the desktop and dragged the same CFScript.txt file to the icon. This time the progress bar appears but, as soon as it's done, combofix exits and it doesn't leave a c:\combofix.txt file.
Good Morning,
Are you not able to get internet on the infected computer ? Post a new HJT log and lets see if it got it.
Yes the infected computer does have internet access. I just thought it best to minimize it's use for now.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:43 AM, on 9/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5867 bytes
REGEDIT4
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcfa8d17442]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\fldrclnr32.dll
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Post the OTMoveIt log and a new HJT log please
Looks like it worked. It did not ask to reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\fldrclnr32.dll
C:\WINDOWS\SYSTEM32\fldrclnr32.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\fldrclnr32.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\DBnetlib32.dll
C:\WINDOWS\SYSTEM32\DBnetlib32.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\DBnetlib32.dll moved successfully.
File/Folder C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09142008_115609
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:48 AM, on 9/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5886 bytes
One file was removed, one was not present and it did not remove the one I really wanted it to along with the 020 entry on your HJT log is nasty and still present. We need to run the Combofix script, on the infected computer, drag Combofix to the trash and use the links I provided and grab a fresh copy, download it to your desktop directly, not by transferring it with a CD.
This script is a bit new so don't use the old one
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ComboFix 08-09-14.01 - Bill & Mary 2008-09-14 12:30:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.82 [GMT -7:00]
Running from: C:\Documents and Settings\Bill & Mary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill & Mary\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\DBnetlib32.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.
2008-09-14 11:56 . 2008-09-14 11:56 <DIR> d-------- C:\_OTMoveIt
2008-09-13 20:51 . 2008-09-13 18:10 <DIR> d-------- C:\327882R2FWJFW_xx
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Documents and Settings\Bill & Mary\Application Data\Malwarebytes
2008-09-12 17:50 . 2008-09-12 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-12 17:50 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-12 17:50 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-11 18:44 . 2008-09-11 18:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-10 22:52 . 2003-10-20 19:34 <DIR> d-------- C:\Documents and Settings\Administrator.BILL\WINDOWS
2008-09-10 22:52 . 2003-10-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator.BILL\Application Data\Sonic
2008-09-10 22:52 . 2008-09-10 22:52 <DIR> d-------- C:\Documents and Settings\Administrator.BILL
2008-09-10 21:16 . 2008-09-10 21:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-10 21:16 . 2008-09-10 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 23:57 . 2008-09-09 23:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-09 23:57 . 2008-09-09 23:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-09 20:37 . 2003-10-20 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-09-09 20:37 . 2008-09-09 21:07 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-09-09 18:17 . 2008-09-09 21:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 18:17 . 2008-09-10 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-09 18:13 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\SYSTEM32\PowerToysLicense.rtf
2008-09-09 18:03 . 2008-09-09 18:03 <DIR> d-------- C:\Program Files\Iarsn
2008-09-09 18:03 . 2006-10-24 16:29 17,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Tsknf700.sys
2008-09-09 17:52 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-09-09 17:52 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 04:28 --------- d-----w C:\Program Files\America Online 8.0
.
((((((((((((((((((((((((((((( snapshot@2008-09-12_19.41.32.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-13 02:36:27 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
+ 2008-09-14 19:30:06 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
- 2008-04-09 19:25:39 53,436 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-09-13 02:41:01 53,436 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-04-09 19:25:39 381,692 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-09-13 02:41:01 381,692 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-20 151597]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 122880]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 200704]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 159744]
"VirusScan Online"="c:\program files\mcafee.com\vso\mcvsshld.exe" [2003-03-21 159744]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.EXE" [2000-06-07 794112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 C:\WINDOWS\BCMSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-10-20 36939]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]
R1 TSKNF700.SYS;TSKNF700.SYS;C:\WINDOWS\System32\Drivers\TSKNF700.SYS [2006-10-24 17928]
S3 NH;NH;C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Notify-fcfa8d17442 - C:\WINDOWS\System32\DBnetlib32.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 12:33:06
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LexBceS.exe
C:\WINDOWS\SYSTEM32\Lexpps.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
.
**************************************************************************
.
Completion time: 2008-09-14 12:34:43 - machine was rebooted [Bill & Mary]
ComboFix-quarantined-files.txt 2008-09-14 19:34:35
Pre-Run: 153,824,464,896 bytes free
Post-Run: 153,818,427,392 bytes free
109 --- E O F --- 2007-11-16 02:29:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:40 PM, on 9/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NH - Unknown owner - C:\DOCUME~1\BILL&M~1\LOCALS~1\Temp\NH.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5744 bytes
http://i24.photobucket.com/albums/c30/ken545/cool.gif
By jove you've done it :)
Logs look fine, how is your system running now ??
Lookin' good! No pop-ups, no slowdowns, no other obvious symptoms.
Thanks a lot for all the help. You folks are providing a great service here.
When we are finished with any final clean-up, I intend to upgrade this system to XP SP3 and set-up new AV and spyware scaners. Do you have any particular recomendations?
Thanks
Richard
Hello Richard,
Mcafee is fine, just keep it updated and run a scan about once a week or so.
OTMoveIt <---Drag it to the trash
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Ken,
Great! I deleted the things you indicated and I'll definitely read-up. Thanks again for all your help and patience.
Richard
Your very welcome Richard,
Take Care,
Ken:)