Hijackthis Report

[cavee]

Hi steam.
I found C:\WINDOWS\system32\asferro.dll but I couldn't open it because I didn't have the right application to open it. Next to it there was a asferror.dll by Microsoft, is that the "real" one?
I downloaded the latest Java, but I couldn't delete the old one I had, this message just came up: The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Here is my SUPERAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2008 at 09:46 PM

Application Version : 4.0.1154

Core Rules Database Version : 3425
Trace Rules Database Version: 1417

Scan type : Complete Scan
Total Scan Time : 00:46:35

Memory items scanned : 368
Memory threats detected : 0
Registry items scanned : 5265
Registry threats detected : 0
File items scanned : 57247
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@ads.sun[2].txt
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@2o7[1].txt
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@pandasoftware.112.2o7[1].txt

Here is my Combofix log:
ComboFix 08-03-25.1 - in hong chong 2008-03-25 20:46:07.6 - NTFSx86
Running from: C:\Documents and Settings\in hong chong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\in hong chong\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\drivers\cijexctk.sys
C:\WINDOWS\system32\drivers\lpjcqiax.sys
.
-- Script messages for sUBs --
Findstr -MIF:/ sursen

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\cijexctk.sys
C:\WINDOWS\system32\drivers\lpjcqiax.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NFTKECAA
-------\Service_nftkecaa


((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 20:26 . 2008-03-25 20:31 <DIR> d-------- C:\Documents and Settings\in hong chong\.SunDownloadManager
2008-03-22 18:13 . 2008-03-22 19:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-22 15:58 . 2008-03-22 17:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-20 17:02 . 2008-03-20 17:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-17 19:52 . 2008-03-22 17:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-17 19:52 . 2008-03-17 19:52 <DIR> d-------- C:\Documents and Settings\in hong chong\Application Data\SUPERAntiSpyware.com
2008-03-17 19:52 . 2008-03-17 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-17 19:51 . 2008-03-17 19:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 19:09 . 2008-03-17 19:09 <DIR> d-------- C:\Program Files\CCleaner
2008-03-14 22:07 . 2008-03-14 22:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 19:36 . 2008-03-14 19:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-14 19:36 . 2008-03-14 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-14 18:51 . 2008-03-22 17:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-14 18:51 . 2008-03-14 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 21:19 . 2008-03-14 00:16 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-13 21:19 . 2008-03-14 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-09 20:47 . 2008-03-09 20:47 80,959,471 --a------ C:\WINDOWS\pav.sig
2008-03-09 20:38 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\SYSTEM32\asprouni.exe
2008-03-09 20:37 . 2008-03-09 20:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ASPRO
2008-03-09 20:37 . 2008-03-09 21:15 30,590 --a------ C:\WINDOWS\SYSTEM32\pavaspro.ico
2008-03-09 20:37 . 2008-03-09 21:15 3,377 --a------ C:\WINDOWS\SYSTEM32\.ico
2008-03-09 20:37 . 2008-03-09 21:15 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstallpro.ico
2008-03-09 20:37 . 2008-03-09 21:15 1,406 --a------ C:\WINDOWS\SYSTEM32\Helppro.ico
2008-03-09 19:42 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-09 19:41 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hyemhslckupp.sys
2008-03-09 19:28 . 2008-03-22 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-09 19:28 . 2008-03-22 17:08 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-09 19:28 . 2008-03-22 17:08 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-09 19:28 . 2008-03-22 17:08 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-09 18:54 . 2008-03-09 18:54 4,172 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-09 18:25 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-03-09 18:25 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-03-09 18:25 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-03-09 18:25 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-03-09 18:25 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-03-09 18:25 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-03-09 18:25 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-03-05 19:42 . 2008-03-05 19:42 <DIR> d-------- C:\Documents and Settings\eun soon chong\Application Data\HPAppData
2008-03-02 17:31 . 2008-03-14 16:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 17:31 . 2008-03-02 17:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 21:41 . 2008-02-28 21:41 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 00:32 --------- d-----w C:\Documents and Settings\in hong chong\Application Data\HPAppData
2008-03-22 22:44 --------- d-----w C:\Program Files\Bonjour
2008-03-19 23:41 --------- d-----w C:\Program Files\SmileyDistrict
2008-03-19 23:41 --------- d-----w C:\Program Files\QuickTime
2008-03-19 23:41 --------- d-----w C:\Program Files\iTunes
2008-03-19 23:41 --------- d-----w C:\Program Files\DellSupport
2008-03-18 00:42 --------- d-----w C:\Program Files\Yahoo!
2008-03-13 23:49 --------- d-----w C:\Program Files\Jasc Software Inc
2008-03-01 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-18 17:29 --------- d-----w C:\Documents and Settings\in ji chong\Application Data\Apple Computer
2008-02-18 03:35 --------- d-----w C:\Documents and Settings\in hong chong\Application Data\Apple Computer
2008-02-18 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-18 01:52 --------- d-----w C:\Program Files\Apple Software Update
2008-02-18 01:48 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-18 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-17 22:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 22:29 --------- d-----w C:\Program Files\Ulead Systems
2008-02-17 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-17 22:26 --------- d-----w C:\Program Files\CyberLink
2008-02-17 22:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-17 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-17 22:24 --------- d-----w C:\Program Files\Common Files\aolshare
2008-02-17 22:21 --------- d-----w C:\Program Files\WildTangent
2008-02-17 22:13 --------- d-----w C:\Program Files\Common Files\Real
2008-02-01 04:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-03-02 00:35 65,552 ----a-w C:\Documents and Settings\in ji chong\Application Data\GDIPFONTCACHEV1.DAT
2002-09-19 03:42 3,178,828 ------w C:\Program Files\E.msi
.

<pre>
----a-w           212,992 2008-03-14 21:26:42  C:\Program Files\McAfee.com\Agent\mcupdate  .exe
----a-w           212,992 2008-03-01 23:19:01  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
----a-w            98,304 2008-03-10 00:56:41  C:\Program Files\QuickTime\qttask            .exe
----a-w            98,304 2008-03-10 00:56:42  C:\Program Files\QuickTime\qttask           .exe
----a-w            98,304 2008-03-10 00:56:42  C:\Program Files\QuickTime\qttask          .exe
----a-w            98,304 2008-03-10 00:56:42  C:\Program Files\QuickTime\qttask         .exe
----a-w            98,304 2008-03-10 00:56:44  C:\Program Files\QuickTime\qttask        .exe
----a-w            98,304 2008-03-10 00:56:44  C:\Program Files\QuickTime\qttask       .exe
----a-w           385,024 2008-03-10 00:56:47  C:\Program Files\QuickTime\qttask   .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-03-23_18.39.36.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
+ 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
- 2006-12-01 10:20:32 79,360 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
- 2008-03-23 23:33:23 16,810 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
+ 2008-03-26 01:51:55 16,810 ----a-w C:\WINDOWS\SYSTEM32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99DC9AB0-94F0-4ACA-B943-8FCCE5DEF0B3}]
2008-03-05 19:55 98048 --a------ C:\WINDOWS\system32\asferro.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"MRT"="C:\WINDOWS\system32\MRT.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2008-03-01 23:10 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2008-03-14 16:27 303104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 20:01:04 83360]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-11-06 11:12:29 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1135963495\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-03-14 01:03:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 20:52:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-25 20:57:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 01:57:30
ComboFix2.txt 2008-03-23 23:40:07
ComboFix3.txt 2008-03-20 21:47:09
ComboFix4.txt 2008-03-19 23:55:12
ComboFix5.txt 2008-03-19 02:15:39
.
2008-02-14 00:18:51 --- E O F ---

While I was running Combofix, McAfee came up with a message that said it detected a virus. This is the first time McAfee has actually notified me about viruses or malware, even though I was heavily infected before. I frequently ran virus scans with McAfee in the past, but it only detected "Smiley Central" as potentially dangerous and nothing else.

 

[steamwiz]

Hi

I found C:\WINDOWS\system32\asferro.dll but I couldn't open it because I didn't have the right application to open it. Next to it there was a asferror.dll by Microsoft, is that the "real" one?
I downloaded the latest Java, but I couldn't delete the old one I had, this message just came up: The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

DON'T try to open or run the asferro.dll .... I just wanted to know if you found it, now you have I'll give you instructions to upload it for me to have a look at it ... can you zip it ? ... don't try anything else with it.

The asferror.dll by Microsoft is legit ... it's OK.

Before we reinstall the Windows Installer, I want to see a reg key, there may not be anything wrong with it.

Open notepad and copy the text from the code box into it :-

regedit /e search.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option"

save it on the desktop & save it as search.bat

doubleclick the search.bat and a new text file will be created in the desktop search.txt

paste the contents of the text file in your next reply...

While I was running Combofix, McAfee came up with a message that said it detected a virus. This is the first time McAfee has actually notified me about viruses or malware, even though I was heavily infected before. I frequently ran virus scans with McAfee in the past, but it only detected "Smiley Central" as potentially dangerous and nothing else.

Did you make a note of the virus name & it's location ?

If it's now in McAfee quarantine, can you find it for me ?

-
Please go here :-

http://www.thespykiller.co.uk/index.php?board=1.0

Start a new topic ...title file for steamwiz - asferro.dll

put this in your post :-

for steamwiz ...

link :- http://forums.spybot.info/showthread.php?t=25576&page=7

O2 - BHO: (no name) - {99DC9AB0-94F0-4ACA-B943-8FCCE5DEF0B3} - C:\WINDOWS\system32\asferro.dll


then please find the C:\Windows\system32\asferro.dll file ...

... zip it & attach it to the post...

steam

 

[cavee]

Hi steam.

I copied and pasted the code into notepad and saved it as search.bat on my desktop. I double clicked, and a window that said C:\Documents and Settings\in hong chong\Desktop>regedit /e search.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option" popped up. I tried to find 'search.txt' on my desktop but I couldn't.

I wasn't able to get the name of the virus, and there is nothing in its quarantine. McAfee simply told me that the computer was infected with a virus and nothing more. McAfee also refuses to update, so I was thinking of just uninstalling it and getting a different firewall?

I also posted the asferro.zip

 

[steamwiz]

HI

I copied and pasted the code into notepad and saved it as search.bat on my desktop. I double clicked, and a window that said C:\Documents and Settings\in hong chong\Desktop>regedit /e search.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option" popped up. I tried to find 'search.txt' on my desktop but I couldn't.

Not to worry ... if the Safeboot\Option key had an enabled dword value called "OptionValue" then this would make windows think it was in safemode, even though it was in normal mode, and wouldn't allow you to install programs, like java, because the Windows Installer Service would not be running, if you don't have the "option" key, then the bat file you ran will not produce a search.txt file (which is what happened) ... it doesn't matter whether you understood that ...

Before we attempt to reinstall the windows installer, let's see if the service is running ?

Go to Start > run > type > services.msc & click OK

When the services applet opens, scroll down to windows installer .... what is the startup type ?

I wasn't able to get the name of the virus, and there is nothing in its quarantine. McAfee simply told me that the computer was infected with a virus and nothing more. McAfee also refuses to update, so I was thinking of just uninstalling it and getting a different firewall?

You have McAfee-AntiVirus & McAfee-Firewall ... I would have thought the AntiVirus not the firewall would have alerted you to a virus .... unless something tried to get through the firewall & this is what it alerted you to .... that would explain nothing in the quarantine folder.

I'll check out the asferro file & let you know what our next step in deleting it will be.

steam

 

[cavee]

Hi steam.

The startup type for windows installer is manual.

Since I am unable to update McAfee, should I just get a different antivirus and firewall?

 

[steamwiz]

Hi steam.

The startup type for windows installer is manual.

Since I am unable to update McAfee, should I just get a different antivirus and firewall?

Hi

Hi steam.

The startup type for windows installer is manual.

Since I am unable to update McAfee, should I just get a different antivirus and firewall?

The windows installer startup is correct ...

Do you have a subscription for McAfee ? if you do, then you could try a complete uninstall and re-install first ...

I believe the asferro.dll file is vundo related & may have a rootkitted file protecting it...

First I want you to try vundofix, & if that doesn't work, we'll try some rootkit scans ...

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

Keep running vundofix untill it gives you the message "no infected files were found"

Don't forget to please post the :-

C:\vundofix.txt

steam

 

[cavee]

Hi steam.
I don't have a subscription for McAfee.

I downloaded Vundofix and on its first scan it told me that there were no infected files. Do you still want me to post a Hijackthis log?

 

[steamwiz]

Hi

OK ... no need for a new hijackthis log ...

Please try & run these :-

Download AVG Anti-Rootkit and save to your desktop

http://free.grisoft.com/softw/70free/setup/avgarkt-setup-1.1.0.42.exe

1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

& this one ...

Please download Sophos Anti-Rootkit,and save it on your desktop.

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\Program Files\Sophos\Sophos Anti-Rootkit and double-click sargui.exe to start the program.
3. Make sure the following are checked:

- Running processes
- Windows Registry
- Local Hard Drives

4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-

%temp%\sarscan.log

then press Enter.

7. This should open the log from the rootkit scan.

Post the log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

steam

 

[cavee]

Hi steam.
I ran AVG Anti-Rootkit using both search for rootkits and perform in-depth search, and it found nothing.

I wasn't able to download Sophos Anti-Rootkit because a few of the requirements ask me about 'my company' but I don't have one.

 

[steamwiz]

Hi

I sent you a PM 2 days ago .. did you read it ?

steam

 

[cavee]

Hi steam.
I'm sorry, I wasn't able to get on the computer for a few days because I was busy.
I ran Sophos Anti-Rootkit and it didn't find anything.

 

[steamwiz]

Hi

1. Download icesword: http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip > to your desktop...

2. unzip the zip file to your desktop, to reveal an IceSword122en folder ...

3. Open the folder & doubleclick the IceSword.exe file, to run the program ...

4. Make the window full screen by clicking the maximise button in the top right hand corner.

5. Click the "File" button (Bottom left)

>> In order to have a better view of the left side section, you will need to widen it by clicking on the line dividing both sections and then dragging it to-wards the right a bit.

6. Click the + next to Local disk (C
...Click the + next to Windows
...Click the folder next to System32

Look for asferro.dll

Be careful not to delete the legitimate asferror.dll

7. Right click the asferro.dll and choose delete.

8. Close IceSword by clicking the X in the top right corner. Click Yes at the prompt.

9. Reboot the PC.

Is the file gone ?

steam

 

[cavee]

Hi steam.
asferro.dll is no longer in system32, it is in the QooBox Quarantine.

 

[steamwiz]

Hi

Please be more specific ...

Did you use IceSword to delete it ?

You say the file is in QooBox Quarantine, well it's OK in there ... but tell me this ...

According to Combofix ... CFScript.txt > C:\WINDOWS\system32\asferro.dll . . . . failed to delete

When Combofix deletes a file it makes several checks, it may well be that Combofix deleted the file (put it in QooBox Quarantine) & then the file was recreated, & when combofix checked to see if the file had been deleted, it found it again & thought it had not deleted it ... hence ... C:\WINDOWS\system32\asferro.dll . . . . failed to delete

So I'm assuming that you had 2 asferro.dll files ... one in system32 & the other in QooBox Quarantine, after using IceSword, you now only have the one in QooBox Quarantine ... am I correct ?

Now we need to systematically go through the scans & logs again to make sure they are clean ...

The first time you ran the scans, a lot of infected files were found in system restore, so I am going to get you to purge system restore first, then the logs you post will be very short & hopefully clean as well.

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

-
Then I want you to start by posting a new hijackthis log & a new KASPERSKY ONLINE SCANNER REPORT.

steam

 

[cavee]

Hi steam.
Yes, I used Icesword to delete asferro.dll. I don't have asferro.dll in my system32 anymore. I have two asferro.dll in the QooBox Quarantine, and I have one asferro zip in the QooBox Quarantine.

Here is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:43 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {99DC9AB0-94F0-4ACA-B943-8FCCE5DEF0B3} - C:\WINDOWS\system32\asferro.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZCxdm244YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll (file missing)
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9265 bytes

Here is my Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 04, 2008 10:32:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 682641
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 59618
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:03:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\in hong chong\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-4-2008( 21-15-40 ).LOG Object is locked skipped
C:\Documents and Settings\in hong chong\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\in hong chong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\in hong chong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\in hong chong\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\in hong chong\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped
C:\Documents and Settings\in hong chong\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\in hong chong\ntuser.dat Object is locked skipped
C:\Documents and Settings\in hong chong\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\lpjcqiax.dat.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-03-25_205213.59.zip/cijexctk.sys Infected: Trojan.Win32.BHO.gy skipped
C:\QooBox\Quarantine\catchme2008-03-25_205213.59.zip/lpjcqiax.sys Infected: Trojan.Win32.BHO.gy skipped
C:\QooBox\Quarantine\catchme2008-03-25_205213.59.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[cavee]

I forgot to say that at the beginning (0%) and then near the end (98%) of the Kapersky scan, this message popped up:
Windows - No Disk
Exception Processing Message c0000013 Parameters75 b6bf9c 4 b6bf9c b6bf9c
with the options Cancel, Try Again, and Continue.

 

[steamwiz]

HI

A lot of things can cause that error, it's probably a conflict between KASPERSKY & another program which you have running, so as long as you don't run KASPERSKY again ( & there's no need to ) as it only shows 3 infections, which are all in Qoobox quarantine, & we'll deal with them shortly ... let me know if you see the error again.

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {99DC9AB0-94F0-4ACA-B943-8FCCE5DEF0B3} - C:\WINDOWS\system32\asferro.dll (file missing)


Reboot ... run hijackthis again & tell me if you still see the entry which you removed ?

No need to post a new hijackthis log.

But please do this :-

Run hijackthis ...

Click Open the Misc tools section

Click open uninstall manager

Click save list

save the uninstall_list.txt to your desktop

Copy & past the list in your next post here ...


Then do this :-

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

THEN ... re-run these 3 scans & post the logs :-

SUPERAntiSpyware
Panda ActiveScan
bitdefender

steam

 

[cavee]

I followed your instructions, rebooted, and ran hijackthis again. I don't see the entry anymore.
Here is the uninstall_list.txt:
32 Bit HP CIO Components Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
AIM 6
AOL Explorer
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
AVG Anti-Rootkit Free
Bonjour
CardRd81
CCleaner (remove only)
CCScore
Corel Painter Essentials 2
CR2
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell ResourceCD
Dell Support Center
DellSupport
ESET Online Scanner
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
Finale NotePad 2006
GTK+ 2.6.9 runtime environment
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
JTablet
Kaspersky Online Scanner
Kodak EasyShare software
KSU
Macromedia Shockwave Player
MapleStory
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
My Way Search Assistant
NetZeroInstallers
Notifier
OTtBP
OTtBPSDK
Panda ActiveScan
Panda ActiveScan Pro
QuickTime
Samsung CamCorder Driver
Samsung SMP4 Video Codec Uninstall
Security Task Manager 1.7e
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SFR
SHASTA
SKIN0001
SKINXSDK
Sophos Anti-Rootkit 1.3.1
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tablet
The GIMP 2.2.8
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VPRINTOL
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WIRELESS
WordPerfect Office 12



Here is the SUPERAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/06/2008 at 07:24 PM

Application Version : 4.0.1154

Core Rules Database Version : 3431
Trace Rules Database Version: 1423

Scan type : Complete Scan
Total Scan Time : 00:46:02

Memory items scanned : 378
Memory threats detected : 0
Registry items scanned : 5263
Registry threats detected : 0
File items scanned : 58475
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@revsci[2].txt
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@cdn.atwola[1].txt
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@2o7[2].txt
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@atwola[1].txt
C:\Documents and Settings\in hong chong\Cookies\in_hong_chong@ar.atwola[1].txt


Here is the PandaActiveScan log:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-06 20:40:53
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\Process.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

[cavee]

Here is the bitdefender log:

Time
00:52:41

Files
217191

Folders
7883

Boot Sectors
4

Archives
9399

Packed Files
12096




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
1128810

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

No virus found.

 

[steamwiz]

HI

Looking good ...

SUPERAntiSpyware only found 5 cookies ... you are always going to pick up tracking cookies, that's part of surfing nowadays.

-
This is the java runtume I want you to remove from add/remove programs ..

Java 2 Runtime Environment, SE v1.4.2_03

Which you had trouble with ... please try to remove it again & install the latest java.

You allready have the newest Windows Installer, installed, let me know if you still have trouble ...

-
PandaActiveScan log shows these :-

1. 00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}

2. 00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\Process.exe

The first is an orphan vundo key, which I'll give you reg file to remove ...

The second is a legitimate process which is no problem ...

On second thoughts, I wont give you reg file to remove it, we'll run another excellent anti-malware program which I believe will remove it & may show something else we have missed ...


Download and install the 30 day trial of AVG Anti-Spyware from HERE :-

http://www.ewido.net/en/download/

1. Download it to your desktop
2. Doubleclick the AVG Anti-Spyware icon to start the AVG Anti-Spyware setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close AVG Anti-Spyware > Do not run the scan yet.

Boot your computer into Safemode

1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process

1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close AVG Anti-Spyware
10. Copy & paste the AVG Anti-Spyware report in your next post

-
bitdefender log is clean ...

steam