Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: in need of help with malware removal

  1. #21
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34,

    Try running it this way. Make sure combofix is on your desktop.

    Click start > run. Copy and paste this into the run box and click ok

    combofix /nombr
    Member of UNITE and ASAP

  2. #22
    Senior Member
    Join Date
    Jan 2010
    Posts
    115

    Default

    Ok, OM...this time it worked...not sure why there was a problem doing it the other way. Here are the results....the only fyi is that I had to reconnect to the internet and got a msg telling me that IE was not the default browser and did I want to make it so....not sure why that would have changed...
    Anyway, let me know what you think the next step should be...thanks!

    ComboFix 12-04-16.02 - Home 04/17/2012 16:34:32.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.469 [GMT -4:00]
    Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
    Command switches used :: /nombr
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\EventSystem.log
    c:\windows\system32\dllcache\dlimport.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-17 20:32 . 2012-04-17 20:32 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\MpKsl942fd50b.sys
    2012-04-17 19:45 . 2012-04-17 19:45 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\offreg.dll
    2012-04-17 17:00 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\mpengine.dll
    2012-04-10 18:41 . 2012-04-10 18:41 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes
    2012-04-10 18:38 . 2012-04-10 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-10 18:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-10 18:38 . 2012-04-10 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-09 21:44 . 2012-04-10 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2012-04-09 21:44 . 2012-04-09 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-04-09 21:36 . 2012-04-09 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
    2012-04-02 16:34 . 2012-04-02 16:34 -------- d-----w- c:\program files\Microsoft Silverlight
    2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-12 19:25 . 2012-04-12 19:25 3233 ----a-w- C:\attach.zip
    2012-03-14 02:15 . 2011-11-23 14:35 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2010-04-05 19:57 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2010-04-05 19:57 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2012-02-03 09:22 . 2010-04-05 19:57 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2010-04-05 21:27 237072 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
    .
    c:\documents and settings\Home\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 MpKsl942fd50b;MpKsl942fd50b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\MpKsl942fd50b.sys [4/17/2012 4:32 PM 29904]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL942FD50B
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-04-17 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
    .
    2012-04-17 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-17 16:41
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(880)
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2012-04-17 16:43:54
    ComboFix-quarantined-files.txt 2012-04-17 20:43
    .
    Pre-Run: 20,608,397,312 bytes free
    Post-Run: 21,029,093,376 bytes free
    .
    - - End Of File - - 1DEBB42C02E02C2FC825EEC0BC63AD7E

  3. #23
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34,

    When combofix runs it sets a few things back to default so what you saw was normal. Combofix and DDs seem to have had a problem with the MBR. That happens some times.

    Let's have another look with aswMBR. Run it like you did last time and post the log along with the mbr.dat that will be produced. The mbr.dat will need to be attached.
    Member of UNITE and ASAP

  4. #24
    Senior Member
    Join Date
    Jan 2010
    Posts
    115

    Default

    Here you go....
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-18 10:04:43
    -----------------------------
    10:04:43.984 OS Version: Windows 5.1.2600 Service Pack 3
    10:04:43.984 Number of processors: 2 586 0xF02
    10:04:43.984 ComputerName: 8G77SC1 UserName: Home
    10:04:44.875 Initialize success
    10:08:35.062 AVAST engine defs: 12041800
    10:10:26.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    10:10:26.484 Disk 0 Vendor: ST94813AS 8.04 Size: 38154MB BusType: 3
    10:10:26.484 Disk 0 MBR read successfully
    10:10:26.484 Disk 0 MBR scan
    10:10:26.562 Disk 0 Windows XP default MBR code
    10:10:26.578 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
    10:10:26.578 Disk 0 scanning sectors +78140160
    10:10:27.093 Disk 0 scanning C:\WINDOWS\system32\drivers
    10:10:49.609 Service scanning
    10:10:59.453 Service MpKsl9982ab46 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B4B1E6A6-FAD5-4857-9A60-E4BCF22CA4D5}\MpKsl9982ab46.sys **LOCKED** 32
    10:11:11.250 Modules scanning
    10:11:17.703 Disk 0 trace - called modules:
    10:11:17.734 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    10:11:17.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d44030]
    10:11:17.750 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\00000074[0x86d0b9e8]
    10:11:17.750 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d0bd98]
    10:11:18.140 AVAST engine scan C:\WINDOWS
    10:11:37.921 AVAST engine scan C:\WINDOWS\system32
    10:14:33.500 AVAST engine scan C:\WINDOWS\system32\drivers
    10:14:54.937 AVAST engine scan C:\Documents and Settings\Home
    10:15:18.890 File: C:\Documents and Settings\Home\Application Data\Office Genuine Advantage\Office Genuine Advantage\afxjahc.dll **INFECTED** Win32:Trojan-gen
    10:21:56.375 AVAST engine scan C:\Documents and Settings\All Users
    10:22:28.437 Scan finished successfully
    10:37:39.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Home\Desktop\MBR.dat"
    10:37:39.984 The log file has been saved successfully to "C:\Documents and Settings\Home\Desktop\aswMBR2.txt"

  5. #25
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34,

    I think we can clean up the tools as your computer appears to be clean.

    From your desktop, please delete, if present
    • any notepads/logs that we created
    • TDSSKiller
    • aswMBR.exe
    • mbr.dat
    • mbr.zip
    • DDS.scr
    You can also delete this file C:\TDSSKiller.[Version]_[Date]_[Time]_log.txt along with this folder C:\TDSSKiller_Quarantine

    Next

    Click the Start button, click Run. Copy and paste the following line into the run box and click OK

    Combofix /uninstall

    Next

    Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

    You can keep TFC, use it occasionally to clean out the temp files.

    I suggest you keep MBAM. Keep it updated and use it regularly.

    Updates and upgrades

    Your java is out of date. Click your start button, open Control panel.
    • Locate the Java icon (it looks like a coffee cup)
    • double click it to open it
    • click the Update tab
    • Click update now
    Decline the Ask Tool bar when it's offered during the update.

    After the java is updated, reboot your computer if not prompted to.

    Next, clear the java cache

    To clear the Java Plug-in cache:
    • Click Start > Control Panel.
    • Double-click the Java icon in the control panel.
    • On the General tab, Click Settings under Temporary Internet Files.
    • On the Temporary Files Settings screen, Click Delete Files.
    • check all boxes
    • Click OK


    Adobe Reader

    You have an older version of Adobe Reader. You can download the current version HERE

    You may want to consider Foxit Reader instead. It may be a bit lighter on resources. If you chose to use FoxIt decline the Foxit Toolbar offered during the install.

    Visit their support forum
    Foxit Forum

    In either case you should uninstall Adobe Reader 9.5.0 first. Be sure to move any PDF documents to another folder first though.

    Some Recommendations and prevention tips

    Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

    * If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

    Click FIREWALL for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)

    You should also use Spyware Blaster to help immunize your computer.

    - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    OR

    A guide to understanding and using the hosts file.

    Learn how your Hosts file can protect you and how you can protect it.
    Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
    HOSTS

    Please read the info on disabling the DNS Client before installing a custom hosts file.

    -Secure your Internet Explorer

    From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

    - Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

    - Make sure you have reset Automatic Updates to your chosen option Click your start button > Control Panel > System > Automatic updates tab

    - Keep your antivirus program updated, as well as any other security programs you have.

    -More tips and programs can be found HERE

    Please post back if you have any problems.

    Take care
    Member of UNITE and ASAP

  6. #26
    Senior Member
    Join Date
    Jan 2010
    Posts
    115

    Default

    Hi, OM,
    You gave me quite a bit of homework...lol...but it's all done. I can't thank you enough for your professional help and guidance with the issues on this laptop and I certainly could not have done all of this without your help! All seems to be fine now! I will be making another donation to show my appreciation! Thanks again!

  7. #27
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi mla34,

    You are more than welcome. And Thank You!

    Take care, keep safe.
    Member of UNITE and ASAP

  8. #28
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Since this issue appears to be resolved ... this Topic has been closed.
    Member of UNITE and ASAP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •