Malware Help!

[Dakeyras]

Hi.

Thanks much for your help!

You're welcome!

Custom ComboFix-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  Folder::
  c:\program files\Eusing Free Registry Cleaner
  
  Registry::
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  "Local Page"="C:\WINDOWS\system32\blank.htm"
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
  "Local Page"="C:\WINDOWS\system32\blank.htm"
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
  [-HKEY_CLASSES_ROOT\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}]
  [-HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end.

Run Kaspersky Online AV Scanner:

Go to this Kaspersky website and perform an online antivirus scan.

Note: Use Internet Explorer for this scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:

• How is your computer performing now? Any problems encountered and or any further symptoms?
• ComboFix Log.
• Kaspersky report.

 

[GM123]

Hi,

I had encountered a problem in running kaspersky online scanner using IE. I get the following message " Launch of Java application is interrupted! Please establish an unterrupted internet connection for work with this program". My internet connection is fine and I dont get a problem when I try to run with firefox. Should I run using firefox?

Here is the combofix log.

ComboFix 09-12-25.04 - ganesh 12/26/2009 18:33:52.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.247 [GMT -5:00]
Running from: c:\documents and settings\ganesh\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\ganesh\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Eusing Free Registry Cleaner
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090821175123.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090821175902.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090821180220.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090823204622.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090830210910.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090903184539.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090908131905.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20090920171943.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20091011132219.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20091018173812.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20091025094806.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20091101144546.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20091115000834.reg
c:\program files\Eusing Free Registry Cleaner\Backup\Backup20091217091250.reg

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 18:35 . 2009-12-26 18:35 -------- dc----w- C:\DISSERTATION FINAL
2009-12-26 14:11 . 2009-12-26 14:11 -------- d-----w- c:\windows\ERUNT
2009-12-25 02:57 . 2009-12-25 02:59 1924744 ----a-w- c:\documents and settings\ganesh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-12-24 16:48 . 2009-12-24 16:48 -------- dc----w- C:\rsit
2009-12-22 19:09 . 2009-12-16 19:42 43008 ----a-w- c:\documents and settings\ganesh\Application Data\Mozilla\Firefox\Profiles\1ernd1cl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-22 19:09 . 2009-12-16 19:42 340480 ----a-w- c:\documents and settings\ganesh\Application Data\Mozilla\Firefox\Profiles\1ernd1cl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-22 19:09 . 2009-12-16 19:42 872960 ----a-w- c:\documents and settings\ganesh\Application Data\Mozilla\Firefox\Profiles\1ernd1cl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-22 19:09 . 2009-12-16 19:41 346624 ----a-w- c:\documents and settings\ganesh\Application Data\Mozilla\Firefox\Profiles\1ernd1cl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-20 01:35 . 2009-12-20 01:35 -------- d-----w- c:\program files\AC3Filter
2009-12-19 14:23 . 2009-12-19 14:23 -------- d-----w- c:\program files\ERUNT
2009-12-19 13:08 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-19 13:00 . 2009-12-19 13:00 152576 ----a-w- c:\documents and settings\ganesh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-19 13:00 . 2009-12-19 13:00 79488 ----a-w- c:\documents and settings\ganesh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-17 14:30 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-17 14:30 . 2009-12-17 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-17 14:30 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 21:43 . 2009-12-16 21:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-15 22:52 . 2009-12-15 22:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-10 03:43 . 2009-12-10 04:25 -------- dc----w- C:\nm7
2009-12-10 03:26 . 2009-12-11 03:14 -------- dc----w- C:\pdxpop4
2009-12-08 15:16 . 2009-12-08 15:18 -------- d-----w- c:\program files\gfortran
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\ganesh\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-01 00:36 . 2009-12-16 18:33 -------- dc----w- C:\HLM
2009-11-27 21:24 . 2009-11-27 21:24 -------- d-----w- c:\documents and settings\ganesh\Application Data\GARMIN
2009-11-27 21:23 . 2009-11-27 21:23 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-11-27 21:23 . 2009-11-27 21:23 -------- d-----w- c:\program files\DIFX
2009-11-27 21:23 . 2009-11-27 21:23 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-27 21:23 . 2009-11-27 21:23 -------- d-----w- c:\program files\Garmin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 13:50 . 2009-08-01 01:08 -------- d-----w- c:\documents and settings\ganesh\Application Data\ZoomBrowser EX
2009-12-24 13:25 . 2008-09-21 19:09 -------- d-----w- c:\program files\Common Files\Pharsight
2009-12-24 13:22 . 2007-05-06 01:59 -------- d-----w- c:\program files\Symantec
2009-12-24 13:22 . 2007-05-06 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-24 13:21 . 2007-05-06 01:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-24 13:16 . 2009-05-06 02:13 -------- d--h--w- c:\program files\InstallJammer Registry
2009-12-24 13:16 . 2009-05-06 02:11 -------- d-----w- c:\program files\PLTTools
2009-12-24 02:29 . 2008-10-21 03:38 85464 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-20 21:17 . 2008-11-16 03:49 664 ----a-w- c:\documents and settings\ganesh\Local Settings\Application Data\d3d9caps.dat
2009-12-19 13:02 . 2006-04-18 03:39 -------- d-----w- c:\program files\Java
2009-12-13 20:31 . 2009-11-05 19:11 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-12-09 17:06 . 2009-07-04 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-04 19:48 . 2009-02-19 00:33 -------- d-----w- c:\program files\QuickTime
2009-11-21 15:51 . 2005-08-16 09:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-08 00:00 . 2009-11-05 19:11 158 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ssprs.dll
2009-11-06 01:10 . 2009-11-05 19:11 -------- d-----w- c:\documents and settings\ganesh\Application Data\Pharsight
2009-11-05 20:11 . 2009-11-05 19:11 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\grcauth2.dll
2009-11-05 20:11 . 2009-11-05 19:11 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\grcauth1.dll
2009-11-05 20:11 . 2009-11-05 19:11 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll
2009-11-05 20:11 . 2009-11-05 19:11 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth1.dll
2009-11-05 19:08 . 2007-11-24 00:59 -------- d-----w- c:\program files\Pharsight
2009-11-05 03:42 . 2009-08-01 00:58 -------- d-----w- c:\documents and settings\ganesh\Application Data\CameraWindowDC
2009-11-03 01:42 . 2009-10-03 12:00 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 17:54 . 2006-12-02 15:36 103304 ----a-w- c:\documents and settings\ganesh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-01 17:11 . 2009-07-04 16:18 -------- d-----w- c:\program files\Microsoft Works
2009-10-29 07:45 . 2005-08-16 09:18 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 09:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 09:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2008-12-27 16:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-09-28 02:43 . 2008-09-21 19:49 4940 ----a-w- c:\program files\Trial Simulator.wsp
2008-09-21 19:49 . 2008-09-21 19:49 201 ----a-w- c:\program files\LicenseInstallWizard3.log
2008-09-21 19:40 . 2008-09-21 19:40 160883036 ----a-w- c:\program files\TS221.zip
2008-09-21 19:07 . 2008-09-21 19:06 57141408 ----a-w- c:\program files\WinNonlin521.zip
2007-01-26 02:27 . 2006-12-29 00:35 8154264 ----a-w- c:\program files\CleanAccessAgent.exe
2007-01-07 03:04 . 2007-01-07 03:04 165888 ----a-w- c:\program files\Pharmaceutical Industry Internships.doc
2006-12-02 16:18 . 2006-12-02 16:18 18192896 ----a-w- c:\program files\ucvse80isp13Spy5100.exe
2005-08-15 18:54 . 2005-08-15 18:54 442 ----a-w- c:\program files\WinNonlin.pdf
2005-08-15 18:54 . 2005-08-15 18:54 12695132 ----a-w- c:\program files\WinNonlin.msi
2005-08-15 18:54 . 2005-08-15 18:54 1013 ----a-w- c:\program files\Setup.ini
2005-08-15 18:53 . 2005-08-15 18:53 477696 ----a-w- c:\program files\isscript.msi
2005-08-15 18:53 . 2005-08-15 18:53 3673 ----a-w- c:\program files\0x0409.ini
2005-08-15 18:53 . 2005-08-15 18:53 1821008 ----a-w- c:\program files\instmsiw.exe
2005-08-15 18:53 . 2005-08-15 18:53 1707856 ----a-w- c:\program files\instmsia.exe
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
2007-03-27 23:33 . 2006-12-19 02:31 56 --sh--r- c:\windows\system32\7A83BC0799.sys
2007-03-11 20:49 . 2006-12-03 18:47 88 --sh--r- c:\windows\system32\9907BC837A.sys
2007-04-22 13:40 . 2007-04-22 13:40 56 --sh--r- c:\windows\system32\B6EC45BF34.sys
2009-04-18 16:47 . 2006-12-03 18:47 7154 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\ganesh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-14 133104]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"VoipRaider"="c:\program files\VoipRaider.com\VoipRaider\VoipRaider.exe" [2009-12-25 9111344]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-02 413696]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-03-26 69632]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ganesh^Start Menu^Programs^Startup^WordWeb.lnk]
backup=c:\windows\pss\WordWeb.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"VoipRaider"="c:\program files\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VoipRaider.com\\VoipRaider\\voipraider.exe"=
"c:\\Documents and Settings\\ganesh\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\ganesh\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\Pharsight\MPICH2\bin\smpd.exe [10/16/2009 1:53 PM 450560]
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\ganesh\Application Data\Mozilla\Firefox\Profiles\1ernd1cl.default\
FF - component: c:\documents and settings\ganesh\Application Data\Mozilla\Firefox\Profiles\1ernd1cl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\ganesh\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ganesh\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 18:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-12-26 18:45:39
ComboFix-quarantined-files.txt 2009-12-26 23:45
ComboFix2.txt 2009-12-26 14:45
ComboFix3.txt 2009-09-03 23:24
ComboFix4.txt 2008-12-30 13:47

Pre-Run: 17,338,179,584 bytes free
Post-Run: 17,329,119,232 bytes free

- - End Of File - - BA1E0C32ED885C7AA26C1FBBACAB3466

 

[Dakeyras]

Hi.

By all means try the scan with FireFox, however if still problems use the below alternative online scan instead please.

Have you experienced any other issues with the use of IE at all?

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

• Please go here then click on:
  
  
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

1. Scan for potentially unwanted applications
2. Scan for potentially unsafe applications
3. Enable Anti-Stealth Technology

• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

When completed the above, please post back the following:

• How is your computer performing now? Any problems encountered and or any further symptoms?
• Either online scan log.

 

[GM123]

Hi,

Here is the kaspersky report after scanning with firefox. I dont use IE for browsing, the only other problem was the redirection to other sites.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, December 27, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, December 27, 2009 11:04:57
Records in database: 3410691
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 149008
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 09:15:00


File name / Threat / Threats count
C:\Documents and Settings\ganesh\.housecall6.6\Quarantine\ruyezijo.dll.bac_a07864 Infected: Trojan.Win32.Monder.alks 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.

 

[Dakeyras]

Hi.

Giving the nature of the malware infections that were present on your machine. I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please do not be overly alarmed by this but see it as myself ensuring your continued online safety.

I advice you purge the Quarantine folder that was created when you used Trend-Micro's online scan. The other infection flagged by the Kaspersky online scan will be purged when we uninstall ComboFix.

Any other issues remaining? Before we clean up the tools used and I provide some online safety advice.

 

[GM123]

Hi,

Thanks for your note. I will change all my passwords pertinent to any bank transactions. What did you mean by "purge the Quarantine folder that was created when you used Trend-Micro's online scan"?. I havent seen any other issues so far.

Thanks much for your time end expertise.

 

[Dakeyras]

Hi.

What did you mean by "purge the Quarantine folder that was created when you used Trend-Micro's online scan"?.

It relates to the below:-

C:\Documents and Settings\ganesh\.housecall6.6\Quarantine\ruyezijo.dll.bac_a07864

Easy way to remove would be to actually delete this folder:-

.housecall6.6

Then empty the Recycle Bin.

Thanks much for your time end expertise.

You're welcome!

Next:

Congratulations your computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

Clean up with OTC:

Please download OTC and save it to desktop.

This tool will remove all the tools(and logs created) we used to clean your pc.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed combination security application, McAfee Enterprise automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

• I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
• Install the Active X
• Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
• Start >> All Programs >> Microsoft Updates

Be careful when opening attachments and downloading files:

• Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
• Never open emails from unknown senders.
• Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
• Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

• MVPS Hosts File
• Bluetack's Hosts File
• Bluetack's Host Manager
• hpHosts.

Only use one of the above.

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein(updated by tashi):

So how did I get infected in the first place?

Any questions? Feel free to ask, if not stay safe!

 

[GM123]

Hi,

Just wanted to let you know that I have no more issues and questions. Thanks for your help. Wish you a happy new year!resent:

 

[Dakeyras]

You are very welcome and likewise!

 

[Dakeyras]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.