View Full Version : Help with Virtumonde on Son's computer
Mikey1946
2008-11-29, 19:50
My son dropped off his Dell Dimension 4300 last night and asked me to figure out why it runs so slow and is plagued by pop-ups. After considerable clean-up I'm left with Virtumonde. Looks like there are no simple fixes so please help me remove this Trojan horse.
After 3 Spybot scans I'm left with the following
Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP
Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\aKQXxyxx.ini2
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\aKQXxyxx.ini
Thanks for your consideration and help.
Bio-Hazard
2008-11-29, 20:08
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Absence of symptoms does not mean that everything is clear.
NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe
Download HijackThis
To get things going i need you to download HijackThis see the instructions below.
Click HERE (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to download HijackThis Installer
Save HijackThis Installer to your desktop.
Doubleclick on the HijackThis Installer icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Malwarebytes Antimalware Log
A HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Mikey1946
2008-11-29, 21:27
Malwarebytes' Anti-Malware 1.30
Database version: 1434
Windows 5.1.2600 Service Pack 2
11/29/2008 1:19:05 PM
mbam-log-2008-11-29 (13-19-05).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111520
Time elapsed: 1 hour(s), 1 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 43
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 39
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\xxyxXQKa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vbddjn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hfwhrk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fgbrcy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\psuajk.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{774cbb01-755f-450b-9772-4304d97b14b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{774cbb01-755f-450b-9772-4304d97b14b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c61f020e-d55d-4278-aa1f-6b05b8955743} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c61f020e-d55d-4278-aa1f-6b05b8955743} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{aadfed38-03c6-488d-ab7f-4d1ed9a89a34} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5f05b78-929c-4b0d-b14d-ea4f2fe6eb36} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ee4167c3-ddd2-4fe3-b1a7-21c75fab74ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{774cbb01-755f-450b-9772-4304d97b14b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyxxqka -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxxqka -> Delete on reboot.
Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\psuajk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyxXQKa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aKQXxyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aKQXxyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccbwumnh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hnmuwbcc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eaydguiv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\viugdyae.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nepvrgrd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drgrvpen.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvdubbfi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifbbudvn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pvwidmow.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\womdiwvp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vorarqvn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvqrarov.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbddjn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hfwhrk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fgbrcy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Local Settings\Temporary Internet Files\Content.IE5\CJFOFQ5E\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Local Settings\Temporary Internet Files\Content.IE5\ZLXBBLPH\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqqa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqql.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqqp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqqd\qfqqc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BCF36D-2658-49E3-8031-A87E3D98FB13}\RP578\A0114158.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olxshbjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\obprmllc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ohyevgbu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pvdazw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\juwwwlrq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xkydwqtx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqAy1I1J.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FqBRJWl4.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
Hijackthis report after above scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:04 PM, on 11/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3571F42A-E6F3-417E-B440-BEAA0095EBF4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {573C4CFD-92A3-46EB-A73A-FCBF44D97341} - (no file)
O2 - BHO: (no name) - {5AC3814C-4C56-487F-A926-4F5A21214000} - (no file)
O2 - BHO: (no name) - {6C9D475F-14EC-4E35-B8C1-E7A8C666304E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {90198772-08F8-4D28-9144-85E5C6563080} - (no file)
O2 - BHO: (no name) - {A0A5C793-83E0-4315-8601-722564756CFD} - (no file)
O2 - BHO: (no name) - {BDC91C76-E923-4059-8D97-1073E7CB6C83} - (no file)
O2 - BHO: (no name) - {C151026B-B7D6-4445-AF34-D272B586BFBF} - (no file)
O2 - BHO: (no name) - {EB41AA2B-ADDC-425C-842B-3BD0D7696A61} - (no file)
O3 - Toolbar: (no name) - {A8EA8CB2-5391-4492-A82C-CBE438C35252} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=592fe0a5-29c9-4626-bcb5-4d6ba95ce6fb
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163832925908
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: crpekp.dll vbddjn.dll sqdiqy.dll xrtknx.dll hfwhrk.dll fgbrcy.dll psuajk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
--
End of file - 5252 bytes
Mikey1946
2008-11-29, 22:15
Before I started this repair I had replaced his Microsoft Explorer web browser with Netscape. I had heard that the former was buggy and I didn't care for the updated version of Explorer. I had some problems with Explorer on my laptop ( excessive pop-ups) and Netscape was my fix in that case.
Anyway, now using Netscape, and with the repair you recommended above, his computer is running better than it ever has, with no annoying pop-ups and slow downs. Thanks for you help :)
Mikey1946
2008-11-29, 22:18
Another thing . . . the "automatic updates" is now working. THANKS
Bio-Hazard
2008-11-30, 18:36
Before I started this repair I had replaced his Microsoft Explorer web browser with Netscape. I had heard that the former was buggy and I didn't care for the updated version of Explorer. I had some problems with Explorer on my laptop ( excessive pop-ups) and Netscape was my fix in that case.
Anyway, now using Netscape, and with the repair you recommended above, his computer is running better than it ever has, with no annoying pop-ups and slow downs.Popups was a produced by the infection. I would recommend you to start a new thread about your laptop. Internet explorer is not that bad as long as it kept up to date. Netscape has now been discontinued. I would recommend using either Firefox or Opera.
Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/)
Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
Antivirus
Looking over your log it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect cleans and erase harmful virus files on a computer
Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
Avira AntiVir Personal (http://www.free-av.de/en/download/1/avira_antivir_personal__free_antivirus.html)- Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.download-avg-anti-virus-free-edition#tba2) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
Mikey1946
2008-11-30, 19:42
ComboFix 08-11-30.01 - Deanna and Jeff 2008-11-30 11:13:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.273 [GMT -6:00]
Running from: c:\documents and settings\Deanna and Jeff\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\dbvbsv.dll
c:\windows\system32\kopseovb.ini
c:\windows\system32\msckheni.dll
c:\windows\system32\mwwmeq.dll
c:\windows\system32\otrowswv.ini
c:\windows\system32\qtdorwoq.dll
c:\windows\system32\rqxssgxm.ini
c:\windows\system32\rvdsafmi.ini
c:\windows\system32\sqdiqy.dll
c:\windows\system32\tuobqbaa.dll
c:\windows\system32\vxophbao.dll
c:\windows\system32\xrtknx.dll
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.
2008-11-29 12:13 . 2008-11-29 12:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 12:13 . 2008-11-29 12:13 <DIR> d-------- c:\documents and settings\Deanna and Jeff\Application Data\Malwarebytes
2008-11-29 12:13 . 2008-11-29 12:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 12:13 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 12:13 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 12:08 . 2008-11-29 12:08 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 18:21 . 2008-11-28 18:21 <DIR> d-------- c:\program files\Netscape
2008-11-28 18:21 . 2008-11-28 18:21 <DIR> d-------- c:\documents and settings\Deanna and Jeff\Application Data\Netscape
2008-11-27 21:38 . 2008-11-27 21:38 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-15 00:00 . 2008-11-28 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-11 21:41 . 2008-11-11 21:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-11 21:41 . 2008-11-12 07:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 21:22 . 2008-11-15 12:02 <DIR> d--hs---- c:\windows\RGVhbm5hIGFuZCBKZWZm
2008-11-11 21:01 . 2008-11-15 00:15 <DIR> d-------- c:\documents and settings\Deanna and Jeff\Application Data\Twain
2008-11-10 16:09 . 2008-11-10 16:09 <DIR> d-------- c:\windows\qfqq
2008-11-10 16:09 . 2008-11-15 12:00 <DIR> d-------- c:\program files\Common Files\qfqq
2008-10-11 19:15 . 2008-10-11 19:15 <DIR> d--hs---- c:\windows\ftpcache
2008-10-11 19:15 . 2008-10-11 19:15 <DIR> d-------- c:\documents and settings\Deanna and Jeff\Application Data\SaveThePuppy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 23:52 --------- d-----w c:\program files\QuickTime
2008-11-15 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 01:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-12 01:14 --------- d-----w c:\program files\Nick Jr. Arcade
2008-08-31 18:50 781,834 ----a-w c:\windows\xobglu32.dll
2008-08-31 18:50 63,488 ----a-w c:\windows\xobglu16.dll
2007-03-11 22:11 37,844,544 ----a-w c:\program files\iTunesSetup.exe
2006-11-25 15:02 359,112 ----a-w c:\program files\LimeWireWin.exe
2005-07-29 22:24 472 --sha-r c:\windows\RGVhbm5hIGFuZCBKZWZm\l3p1vAc1K3IRtF14tqtA.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="c:\program files\Support.com\providerComcast\desktopdoctor.exe" [2006-06-02 1286144]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 218496]
c:\documents and settings\Josh and Joe\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-05-29 256000]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
--a------ 2001-09-23 07:14 163840 c:\windows\DellMMKb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 d:\my music\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-07-26 03:03 49263 c:\program files\Java\jre1.5.0_08\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2007-03-07 09:58 1773568 c:\program files\support.com\bin\tgcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-26 15:48 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TraySantaCruz]
--a------ 2001-08-29 14:17 307200 c:\windows\system32\tbctray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"d:\\My Music\\iTunes.exe"=
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2006-11-18 28672]
R3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2006-11-18 6942]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2006-11-18 142336]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2006-11-18 524288]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2006-11-17 281856]
S4 hpt3xx;hpt3xx; []
.
Contents of the 'Scheduled Tasks' folder
2008-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-11-21 c:\windows\Tasks\At1.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At10.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-29 c:\windows\Tasks\At11.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-30 c:\windows\Tasks\At12.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-29 c:\windows\Tasks\At13.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-29 c:\windows\Tasks\At14.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-29 c:\windows\Tasks\At15.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-26 c:\windows\Tasks\At16.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-23 c:\windows\Tasks\At17.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-28 c:\windows\Tasks\At18.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-29 c:\windows\Tasks\At19.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At2.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-24 c:\windows\Tasks\At20.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-24 c:\windows\Tasks\At21.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-28 c:\windows\Tasks\At22.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-28 c:\windows\Tasks\At23.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-28 c:\windows\Tasks\At24.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At25.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At26.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At27.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At28.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At29.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At3.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At30.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At31.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At32.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At33.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At34.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-29 c:\windows\Tasks\At35.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-30 c:\windows\Tasks\At36.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-29 c:\windows\Tasks\At37.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-29 c:\windows\Tasks\At38.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-29 c:\windows\Tasks\At39.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At4.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-26 c:\windows\Tasks\At40.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-23 c:\windows\Tasks\At41.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-28 c:\windows\Tasks\At42.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-29 c:\windows\Tasks\At43.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-24 c:\windows\Tasks\At44.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-24 c:\windows\Tasks\At45.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-28 c:\windows\Tasks\At46.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-28 c:\windows\Tasks\At47.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-28 c:\windows\Tasks\At48.job
- c:\windows\system32\FqBRJWl4.exe []
2008-11-21 c:\windows\Tasks\At5.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At6.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At7.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At8.job
- c:\windows\system32\fqAy1I1J.exe []
2008-11-21 c:\windows\Tasks\At9.job
- c:\windows\system32\fqAy1I1J.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{3571F42A-E6F3-417E-B440-BEAA0095EBF4} - (no file)
BHO-{573C4CFD-92A3-46EB-A73A-FCBF44D97341} - (no file)
BHO-{5AC3814C-4C56-487F-A926-4F5A21214000} - (no file)
BHO-{6C9D475F-14EC-4E35-B8C1-E7A8C666304E} - (no file)
BHO-{90198772-08F8-4D28-9144-85E5C6563080} - (no file)
BHO-{A0A5C793-83E0-4315-8601-722564756CFD} - (no file)
BHO-{BDC91C76-E923-4059-8D97-1073E7CB6C83} - (no file)
BHO-{C151026B-B7D6-4445-AF34-D272B586BFBF} - (no file)
BHO-{EB41AA2B-ADDC-425C-842B-3BD0D7696A61} - (no file)
Toolbar-{A8EA8CB2-5391-4492-A82C-CBE438C35252} - (no file)
WebBrowser-{A8EA8CB2-5391-4492-A82C-CBE438C35252} - (no file)
MSConfigStartUp-AdaptecDirectCD - c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
MSConfigStartUp-CreateCD50 - c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
MSConfigStartUp-GetPack24 - c:\program files\GetPack\GetPack24.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-qfqq - c:\progra~1\COMMON~1\qfqq\qfqqm.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SfKg6wIP - c:\documents and settings\Deanna and Jeff\Application Data\Microsoft\Windows\cvfnj.exe
MSConfigStartUp-SpeedRunner - c:\documents and settings\Deanna and Jeff\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-Twain - c:\documents and settings\Deanna and Jeff\Application Data\Twain\Twain.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
mStart Page = hxxp://www.yahoo.com
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 11:19:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-30 11:22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-30 17:22:07
Pre-Run: 26,991,841,280 bytes free
Post-Run: 28,228,886,528 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
267 --- E O F --- 2008-11-29 20:21:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:48 AM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=592fe0a5-29c9-4626-bcb5-4d6ba95ce6fb
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163832925908
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
--
End of file - 5012 bytes
Bio-Hazard
2008-11-30, 20:13
Hello!
There is a lot to do here so take your time. Kaspersky scan will take long time.
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
File::
c:\program files\LimeWireWin.exe
c:\StubInstaller.exe
c:\windows\system32\fqAy1I1J.exe
c:\windows\system32\FqBRJWl4.exe
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Folder::
c:\windows\qfqq
c:\program files\Common Files\qfqq
c:\windows\RGVhbm5hIGFuZCBKZWZm
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
Update Java Runtime and Run JavaRa
Download Java Runtime
Go to HERE (http://java.sun.com/javase/downloads/index.jsp) to download Java Runtime Environment Version 6 Update 10
Click on the link named Java Runtime Environment (JRE) 6 Update 10
Click on the radio button to Accept License Agreement
Click on Windows Offline Installation Multi-language and save the downloaded file to your desktop
Run JavaRa
Please download JavaRa (http://prm753.bchea.org/click/click.php?id=9) and unzip it to your desktop.
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Install Java
Install the new version of Java by running the newly-downloaded file ( jre-6u10-windows-i586-p.exe) with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer
Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
Kaspersky Log
Javara Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Mikey1946
2008-12-01, 01:34
When am I done? Each time I follow your instructions and post results you get back to me with more instructions?? What am I trying to accomplish?
I appreciate your help but I need to know why I going through these extra steps when the computer is running fine.
THANKS
Bio-Hazard
2008-12-01, 07:47
When am I done? Each time I follow your instructions and post results you get back to me with more instructions?? What am I trying to accomplish?
I appreciate your help but I need to know why I going through these extra steps when the computer is running fine.
This system was heavily infected and there are still signs of infection and some leftovers.This is a sentence from my first post which is why we are still doing these steps: Absence of symptoms does not mean that everything is clear.
It is up to you if you want to follow these steps. Let me know what you want to do.
Mikey1946
2008-12-01, 23:12
Thanks for the feedback and for your help. I plan to continue as you recommend in order to complete the cleanup.
I downloaded and installed one of the free antivirus programs you recommended. Is that going to be adequate or would the latest version of Norton Antivirus suite provide better protection? I bought Norton but haven't opened it yet. Won't install it if the freeware provides all that I need.
THANKS
Mike
Bio-Hazard
2008-12-02, 09:09
Hello!
I downloaded and installed one of the free antivirus programs you recommended. Is that going to be adequate or would the latest version of Norton Antivirus suite provide better protection? I bought Norton but haven't opened it yet. Won't install it if the freeware provides all that I need.
It is up to you, both are good programs. But if you decide to change to Norton you have to uninstall Avira Antivir first.
Could you please do these fixes in my 8 post (http://forums.spybot.info/showpost.php?p=261308&postcount=8).
Bio-Hazard
2008-12-06, 11:17
Hello!
Do you still need my help?