1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Cant Access Antivirus & Microsoft Websites

Discussion in 'Malware and Virus Removal Archive' started by BaSubScribe, 2009/09/29.

  1. 2009/09/29
    BaSubScribe

    BaSubScribe Well-Known Member Thread Starter

    Joined:
    2009/09/29
    Messages:
    6
    Likes Received:
    0
    [Resolved] Cant Access Antivirus & Microsoft Websites

    I can't access any anti-virus sites or any Microsoft websites. I am pretty sure its some new and improved malware. Eventhough I can't see any strange or unknown process using Windows Taskmanager and 3 other similar utilities (such as MKN, AnVir & Free Extended), I do see a strange process using Security TaskManager. The process name is "Universal Server (ekwee)" and the file name for it is "cqohz.dll ". I cannot delete that file nor change any of its hidden, system and read only attributes. t supposedly launches when svchost.exe starts and was given a description of "Resolves and caches DNS names for this computer. If service is stopped, this computer will not be able to resolve DNS names a locate Active Directory domain controllers ". The last time I checked I believe that DNS Client was responsible for that service. What I do notice with the generic taskmanagers are two Rundll32 processes running. But I suspect that is related to my Nvidia Card

    I suspect the malware is aware of Security Taskmanager and its ability to find, isolate and delete running processes in a way that other taskmanagers can't because my Security Taskmanager cannot stop this particular process.
    I get a strange message that says 'couldnt set a restore point 1058' and with a follow up dialog box saying 'for your safety you can remove services and drivers with a registered version only'.

    I have been using unregistered versions for the last 2 years and they have all worked to stop hidden processes so I suspect the malware is targeting a list of programs that might be able to disable it. NEED HELP This is so annoying!!! Here are the posting from the DDS script.


    DDS (Ver_09-09-29.01) - NTFSx86
    Run by BaJohnson at 1:41:49.15 on 09/29/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1346 [GMT -4:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\ZoneTick\timesync.exe
    C:\Program Files\Free Extended Task Manager\Extensions\TaskManager\ExtensionsTaskManager32.exe
    C:\Program Files\Opera\opera.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\XYplorer\XYplorer.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\APPLICATIONS - Setup FIles\Utilties\Antivirus\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/advanced_search?q=+&hl=en&lr=&rls=com.microsoft:en-us&num=30
    uURLSearchHooks: Torrents-Search-Engine Toolbar: {3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - c:\program files\torrents-search-engine\tbTor1.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Torrents-Search-Engine Toolbar: {3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - c:\program files\torrents-search-engine\tbTor1.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\progra~1\freedo~1\iefdm2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Torrents-Search-Engine Toolbar: {3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - c:\program files\torrents-search-engine\tbTor1.dll
    uRun: [ZoneTick] c:\program files\zonetick\zonetick.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [<NO NAME>]
    mRun: [NWEReboot]
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
    mRun: [AudioDeck] c:\program files\via\viaudioi\sbadeck\ADeck.exe 1
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventv~1.lnk - c:\windows\system32\eventvwr.msc
    uPolicies-explorer: NoInstrumentation = 1 (0x1)
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249701777234
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: acaptuser32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\bajohn~1\applic~1\mozilla\firefox\profiles\ragjg18m.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - prefs.js: network.proxy.type - 2
    FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
    FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dll
    FF - plugin: c:\program files\opera\program\plugins\npfdm.dll

    ============= SERVICES / DRIVERS ===============

    R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-11 902592]
    R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [2009-8-11 2208]
    R2 ZTime;ZoneTick Time;c:\program files\zonetick\timesync.exe [2009-8-8 241664]
    S2 ekwwe;Universal Server;c:\windows\system32\svchost.exe -k netsvcs [2008-4-13 14336]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-8-13 8704]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-8-13 3072]
    S4 gupdate1ca1b6c13c112de;Google Update Service (gupdate1ca1b6c13c112de);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
    S4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]

    =============== Created Last 30 ================

    2009-09-28 18:36 <DIR> --d----- c:\program files\Free Extended Task Manager
    2009-09-28 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TaskManager
    2009-09-28 18:35 <DIR> --d----- c:\program files\MKN Software
    2009-09-28 18:35 <DIR> --d----- c:\program files\AnVir Task Manager Free
    2009-09-28 18:23 154,624 a------- c:\windows\system32\DTaskManager.exe
    2009-09-24 16:54 <DIR> --d----- c:\program files\Security Task Manager
    2009-09-11 16:56 <DIR> --d----- c:\program files\ElcomSoft
    2009-09-11 02:56 276 a------- c:\windows\apdfpr.ini
    2009-09-11 01:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Jes-Soft
    2009-09-11 01:41 <DIR> --d----- c:\program files\Jes-Soft
    2009-09-09 00:11 77,824 a------- c:\windows\system32\xvid.ax
    2009-09-09 00:11 <DIR> --d----- c:\program files\Xvid

    ==================== Find3M ====================

    2009-08-12 17:19 16,694 a------- c:\windows\system32\drivers\PalmUSBD.sys
    2009-08-12 17:19 53,248 a------- c:\windows\PalmDevC.dll
    2009-08-11 17:15 902,592 a------- c:\windows\system32\drivers\tdrpm228.sys
    2009-08-11 17:15 540,000 a------- c:\windows\system32\drivers\timntr.sys
    2009-08-11 17:15 44,704 a------- c:\windows\system32\drivers\tifsfilt.sys
    2009-08-11 17:15 138,208 a------- c:\windows\system32\drivers\snapman.sys
    2009-08-11 16:04 2,208 a------- c:\windows\system32\drivers\nxsIO32.sys
    2009-08-08 09:02 411,368 a------- c:\windows\system32\deploytk.dll
    2009-08-08 00:03 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
    2009-08-07 23:05 21,640 a------- c:\windows\system32\emptyregdb.dat
    2009-07-29 02:35 2,378,752 a------- c:\windows\system32\x264vfw.dll
    2009-07-21 02:52 499,712 a------- c:\windows\system32\msvcp71.dll
    2009-07-21 02:52 348,160 a------- c:\windows\system32\msvcr71.dll
    2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
    2003-03-18 20:14 499,712 a------- c:\program files\msvcp71.dll
    2003-03-18 19:05 89,088 a------- c:\program files\atl71.dll
    2003-02-21 04:42 348,160 a------- c:\program files\msvcr71.dll
    2008-04-13 23:41 167,071 a--shr-- c:\windows\system32\cqohz.dll

    ============= FINISH: 1:41:57.53 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-09-29.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 08/07/2009 11:10:40 PM
    System Uptime: 09/29/2009 12:23:13 AM (1 hours ago)

    Motherboard: | | K8M800-M2
    Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 754 | 1999/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 195 GiB total, 181.141 GiB free.
    D: is FIXED (NTFS) - 279 GiB total, 95.761 GiB free.
    E: is FIXED (NTFS) - 37 GiB total, 10.66 GiB free.
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is CDROM ()
    K: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: VIA Rhine III Fast Ethernet Adapter
    Device ID: PCI\VEN_1106&DEV_3106&SUBSYS_14061186&REV_86\3&13C0B0C5&0&50
    Manufacturer: VIA Technologies, Inc.
    Name: VIA Rhine III Fast Ethernet Adapter
    PNP Device ID: PCI\VEN_1106&DEV_3106&SUBSYS_14061186&REV_86\3&13C0B0C5&0&50
    Service: FET5X86V

    ==== System Restore Points ===================

    RP1: 09/22/2009 9:01:55 AM - System Checkpoint
    RP2: 09/23/2009 9:55:15 AM - System Checkpoint
    RP3: 09/24/2009 4:53:02 PM - Revo Uninstaller's restore point - Security Task Manager 1.7h
    RP4: 09/24/2009 4:55:33 PM - Move file to quarantine: Universal Server (ekwwe)
    RP5: 09/29/2009 1:15:53 AM - Configured Platform
    RP6: 09/29/2009 1:18:14 AM - Configured Platform

    ==== Installed Programs ======================

    µTorrent
    Acronis*True*Image*Home
    Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
    Adobe Acrobat 9.1.3 - CPSID_49522
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Presenter 7
    Adobe Shockwave Player 11.5
    AnalogX NetStat Live
    AnVir Task Manager Free
    AutoUpdate
    Avant Browser (remove only)
    Boson NetSim for CCNP 7.0
    Diskeeper 2009 Pro Premier
    Distributed Password Recovery
    DivX
    DivX Player
    DriveImage XML (Private Edition)
    EASEUS Partition Master 4.0 Home Edition
    eSignal
    eSignal 10.5
    eSignal FXCM Plugin
    Football Playbook 009
    Free Download Manager 2.5
    Free Extended Task Manager
    Free M4a to MP3 Converter 6.0
    Free Mp3 Wma Converter V 1.4.0
    FXOrder2Go
    Google Earth
    ImagXpress
    iTunes
    iTunes Sync 1.5.1
    Java(TM) 6 Update 15
    K-Lite Mega Codec Pack 5.0.5
    MFC RunTime files
    Microsoft .NET Framework 2.0
    Microsoft Network Monitor 3.3
    Microsoft Network Monitor: Microsoft Parsers 3.3
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office Project MUI (English) 2007
    Microsoft Office Project Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio MUI (English) 2007
    Microsoft Office Visio Professional 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
    Microsoft Virtual PC 2007
    Microsoft Visual C++ 2005 Redistributable
    MKN TaskExplorer 5
    Mobipocket Reader 6.2
    Mozilla Firefox (3.0.14)
    Mp3tag v2.44
    MSN
    MSXML 6.0 Parser (KB927977)
    Nero 7 Ultra Edition
    neroxml
    NVIDIA Drivers
    Opera 10.00
    OperaFly 2.6
    Palm Outlook Conduits Updater
    palmOne
    Platform
    QuickTime
    QuickTime Alternative 2.9.0
    R-Studio 3.5
    Revo Uninstaller 1.83
    Security Task Manager 1.7h
    Security Update for Windows Internet Explorer 8 (KB972260)
    Skype™ 4.1
    TomeRaider3 v3.3.9
    Torrents-Search-Engine Toolbar
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows XP (KB898461)
    VIA Platform Device Manager
    VIA Rhine-Family Fast-Ethernet Adapter
    VLC media player 1.0.1
    Vuze
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    XML Notepad 2007
    XnView 1.96.2
    Xvid 1.2.2 final uninstall
    XYplorer 8.20
    ZoneTick World Time Zone Clock 5.3.1 (remove only)

    ==== Event Viewer Messages From Past Week ========

    09/29/2009 12:56:50 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the
    server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

    09/29/2009 12:37:26 AM, error: Srv [2011] - The server's configuration parameter "irpstacksize" is too small for the server to use a local device.
    Please increase the value of this parameter.

    09/24/2009 10:40:09 PM, error: Service Control Manager [7028] - The ekwwe Registry key denied access to SYSTEM account programs so the Service Control
    Manager took ownership of the Registry key.

    09/24/2009 10:36:36 PM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1
    time(s).

    09/24/2009 10:21:24 PM, error: Service Control Manager [7023] - The Universal Server service terminated with the following error: A dynamic link
    library (DLL) initialization routine failed.

    ==== End Of File ===========================
     
    Last edited: 2009/09/29
    BaSubScribe,
    #1
  2. 2009/09/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Security Check from HERE, and save it to your Desktop.

    * Double-click SecurityCheck.exe
    * Follow the onscreen instructions inside of the black box.
    * A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    ==============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/09/30
    BaSubScribe

    BaSubScribe Well-Known Member Thread Starter

    Joined:
    2009/09/29
    Messages:
    6
    Likes Received:
    0
    Hi Broni: I think i managed to fix the problem just before you responded. I beleive the combo fix I downloaded did the trick. I visited a website called geekstogo
    (http://www.geekstogo.com/forum/Malware-Spyware-Cleaning-Guide-t2852.html)
    They had a series of steps very similar to yours. The only difference was the availability of combofix. I assume its a generic version or something.

    1) I can visit all sites in question and that universal server (ekwwe) is not running anymore.

    2) I manually cleaned the registry for all traces of (ekwee). That was not so typical because of the LEGACY locations. Nevertheless there all gone. And I deleted it from the SERVICES list.

    3) I deleted the cqozh.dll. That was difficult because I had to use a utility call UNLOCKER. I also figured that it was responsible for ensuring that Windows Explorer could not view any hidden or system files. So even the FILE ASSASSIN thats built into MALWAREBYTES could not work because of the context menu used to locate the locked files could not find it.

    What concerns me is I am not sure exactly how I did it because I did not reboot after each step. So it was hard to see which ones worked. If you don't mind I will continue with the thread to ensure that it really is clean. Here is the first log from the check up. I'm gonna run ur version of combofix and then post it. But I am not sure of the HIJACKTHIS log. I don't recall doing the first one.

    I also have 1 question for curiosity. How does ComboFix work? Is it something that techs can use to and quickly modify for the rapidly evolving malware?



    Results of screen317's Security Check version 0.99.0
    Windows XP Service Pack 3
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    WMIC entry does not exist for antivirus; attempting automatic update.
    ``````````````````````````````
    Anti-malware/Other Utilities Check:
    Java(TM) 6 Update 15
    Adobe Flash Player 10
    ``````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Utilties Antivirus Malware Spyware Trojans SecurityCheck.exe
    ``````````````````````````````
    DNS Vulnerability Check:
    GREAT! (Not vulnerable to DNS cache poisoning)

    `````````End of Log```````````



    ComboFix 09-09-30.01 - BaJohnson 09/30/2009 18:00.2.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -4:00]
    Running from: c:\documents and settings\BaJohnson\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
    .

    2009-09-30 15:38 . 2009-09-30 15:38 -------- d-----w- c:\program files\Security Task Manager
    2009-09-30 14:05 . 2009-09-30 14:05 -------- d-----w- c:\program files\Unlocker
    2009-09-29 20:40 . 2009-09-29 20:40 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Malwarebytes
    2009-09-29 20:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-29 20:40 . 2009-09-29 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-29 20:40 . 2009-09-29 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-29 20:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-29 17:21 . 2009-09-29 17:21 -------- d-----w- c:\program files\ERUNT
    2009-09-29 16:14 . 2009-09-29 16:19 -------- d-----w- C:\36223-CF
    2009-09-28 22:36 . 2009-09-28 22:36 -------- d-----w- c:\documents and settings\BaJohnson\Local Settings\Application Data\TaskManager
    2009-09-28 22:36 . 2009-09-28 22:36 -------- d-----w- c:\program files\Free Extended Task Manager
    2009-09-28 22:36 . 2009-09-28 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\TaskManager
    2009-09-28 22:35 . 2009-09-28 22:35 -------- d-----w- c:\program files\MKN Software
    2009-09-28 22:35 . 2009-09-28 22:35 -------- d-----w- c:\program files\AnVir Task Manager Free
    2009-09-28 22:33 . 2009-09-28 23:59 -------- d-----w- c:\documents and settings\BaJohnson\Local Settings\Application Data\AnVir
    2009-09-28 22:23 . 2008-10-12 05:55 154624 ----a-w- c:\windows\system32\DTaskManager.exe
    2009-09-11 22:30 . 2009-09-24 20:43 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\U3
    2009-09-11 20:56 . 2009-09-11 20:56 -------- d-----w- c:\program files\ElcomSoft
    2009-09-11 05:42 . 2009-09-11 05:42 -------- d-----w- c:\documents and settings\BaJohnson\Local Settings\Application Data\Jes-Soft
    2009-09-11 05:42 . 2009-09-11 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Jes-Soft
    2009-09-11 05:41 . 2009-09-11 17:51 -------- d-----w- c:\program files\Jes-Soft
    2009-09-09 04:11 . 2009-09-09 04:11 -------- d-----w- c:\program files\Xvid
    2009-09-09 01:23 . 2009-09-09 01:23 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\dvdcss

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-30 21:28 . 2009-08-08 06:24 -------- d-----w- c:\program files\XYplorer
    2009-09-30 17:22 . 2009-08-08 07:14 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\nView_Wallpaper
    2009-09-30 15:41 . 2009-08-08 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
    2009-09-29 05:18 . 2009-08-08 06:52 -------- d-----w- c:\program files\VIA
    2009-09-29 04:20 . 2009-08-12 15:52 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Skype
    2009-09-29 04:03 . 2009-08-12 15:53 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\skypePM
    2009-09-25 15:45 . 2009-08-12 01:57 -------- d-----w- c:\program files\eSignal
    2009-09-25 15:45 . 2009-08-12 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\performance
    2009-09-24 18:56 . 2009-08-08 14:46 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\vlc
    2009-09-11 09:22 . 2009-08-19 20:57 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Azureus
    2009-09-10 12:35 . 2009-08-08 16:42 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Free Download Manager
    2009-09-02 17:13 . 2009-08-08 15:52 -------- d-----w- c:\program files\Opera
    2009-09-02 17:00 . 2009-08-10 17:49 -------- d-----w- c:\program files\ZoneTick
    2009-08-27 17:11 . 2009-08-08 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-08-21 20:52 . 2009-08-19 20:41 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\uTorrent
    2009-08-21 17:50 . 2009-08-21 17:46 -------- d-----w- c:\program files\uCertify
    2009-08-20 07:34 . 2009-08-08 17:55 -------- d-----w- c:\program files\Mp3tag
    2009-08-20 03:03 . 2009-08-20 03:03 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Binary Fortress Software
    2009-08-20 03:03 . 2009-08-20 03:03 -------- d-----w- c:\program files\iTunes Sync
    2009-08-20 02:37 . 2009-08-20 02:37 -------- d-----w- c:\program files\Opera 10 Beta
    2009-08-19 20:57 . 2009-08-19 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
    2009-08-19 20:56 . 2009-08-19 20:56 -------- d-----w- c:\program files\Vuze
    2009-08-19 20:54 . 2009-08-19 20:54 -------- d-----w- c:\program files\Torrents-Search-Engine
    2009-08-19 20:54 . 2009-08-19 20:54 -------- d-----w- c:\program files\Conduit
    2009-08-19 20:41 . 2009-08-19 20:41 -------- d-----w- c:\program files\uTorrent
    2009-08-17 15:57 . 2009-08-08 06:53 -------- d-----w- c:\program files\InstallShield Installation Information
    2009-08-17 15:56 . 2009-08-09 02:33 -------- d-----w- c:\program files\Boson Software
    2009-08-17 15:56 . 2009-08-09 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson Software
    2009-08-13 20:58 . 2009-08-13 20:58 -------- d-----w- c:\program files\EASEUS
    2009-08-13 20:12 . 2009-08-13 20:12 -------- d-----w- c:\program files\R-Studio
    2009-08-13 16:26 . 2009-08-13 16:25 -------- d-----w- c:\program files\TomeRaider3
    2009-08-13 15:45 . 2009-08-13 13:28 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Mobipocket
    2009-08-13 13:27 . 2009-08-13 13:27 -------- d-----w- c:\program files\Mobipocket.com
    2009-08-13 12:41 . 2009-08-13 12:41 -------- d-----w- c:\program files\Palm Inc
    2009-08-13 12:41 . 2009-08-12 21:19 -------- d-----w- c:\program files\palmOne
    2009-08-13 12:04 . 2009-08-12 16:42 -------- d-----w- c:\program files\Google
    2009-08-12 21:20 . 2009-08-12 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HotSync
    2009-08-12 21:19 . 2009-08-12 21:19 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\HotSync
    2009-08-12 21:19 . 2004-06-09 18:27 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys
    2009-08-12 21:19 . 2009-08-12 21:20 53248 ----a-w- c:\windows\PalmDevC.dll
    2009-08-12 15:53 . 2009-08-12 15:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2009-08-12 15:52 . 2009-08-12 15:52 -------- d-----w- c:\program files\Common Files\Skype
    2009-08-12 15:52 . 2009-08-12 15:52 -------- d-----r- c:\program files\Skype
    2009-08-12 15:52 . 2009-08-12 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2009-08-12 15:18 . 2009-08-08 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2009-08-12 06:22 . 2009-08-12 04:09 -------- d-----w- c:\program files\Common Files\Apple
    2009-08-12 04:43 . 2009-08-12 04:11 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Apple Computer
    2009-08-12 04:27 . 2009-08-12 04:22 -------- d-----w- c:\program files\Free Audio Pack
    2009-08-12 04:10 . 2009-08-12 04:10 -------- d-----w- c:\program files\iTunes
    2009-08-12 04:10 . 2009-08-12 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-08-12 04:10 . 2009-08-12 04:10 -------- d-----w- c:\program files\iPod
    2009-08-12 04:10 . 2009-08-08 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-08-12 04:10 . 2009-08-08 14:48 -------- d-----w- c:\program files\QuickTime Alternative
    2009-08-12 02:20 . 2009-08-12 01:57 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\eSignal
    2009-08-12 02:19 . 2009-08-12 02:19 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\counters
    2009-08-12 02:17 . 2009-08-12 01:57 -------- d-----w- c:\program files\Common Files\eSignal
    2009-08-12 02:17 . 2009-08-12 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\eSignal
    2009-08-12 02:17 . 2009-08-12 02:17 -------- d-----w- c:\program files\CandleWorks
    2009-08-11 21:22 . 2009-08-11 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2009-08-11 21:15 . 2009-08-11 21:15 902592 ----a-w- c:\windows\system32\drivers\tdrpm228.sys
    2009-08-11 21:15 . 2009-08-11 21:15 540000 ----a-w- c:\windows\system32\drivers\timntr.sys
    2009-08-11 21:15 . 2009-08-11 21:15 44704 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
    2009-08-11 21:15 . 2009-08-11 21:15 138208 ----a-w- c:\windows\system32\drivers\snapman.sys
    2009-08-11 21:15 . 2009-08-11 21:15 -------- d-----w- c:\program files\Common Files\Acronis
    2009-08-11 21:15 . 2009-08-11 21:15 -------- d-----w- c:\program files\Acronis
    2009-08-11 21:07 . 2009-08-11 21:07 -------- d-----w- c:\program files\Runtime Software
    2009-08-11 21:04 . 2009-08-11 21:04 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Symantec
    2009-08-11 20:10 . 2009-08-11 20:10 -------- d-----w- c:\program files\Diskeeper Corporation
    2009-08-11 20:10 . 2009-08-11 20:10 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
    2009-08-11 20:10 . 2009-08-11 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
    2009-08-11 20:04 . 2009-08-11 20:04 2208 ----a-w- c:\windows\system32\drivers\nxsIO32.sys
    2009-08-10 17:49 . 2009-08-10 17:49 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\ZoneTick
    2009-08-10 17:49 . 2009-08-10 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Anuko
    2009-08-09 14:09 . 2009-08-09 14:09 -------- d-----w- c:\program files\Free M4a to MP3 Converter
    2009-08-09 14:01 . 2009-08-09 03:38 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Ahead
    2009-08-09 14:00 . 2009-08-09 03:38 -------- d-----w- c:\program files\Common Files\Ahead
    2009-08-09 03:38 . 2009-08-09 00:32 -------- d-----w- c:\program files\Nero
    2009-08-09 02:18 . 2009-08-09 00:31 -------- d-----w- c:\program files\Common Files\Nero
    2009-08-09 02:18 . 2009-08-09 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2009-08-09 01:09 . 2009-08-09 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
    2009-08-09 01:04 . 2009-08-08 15:54 -------- d-----w- c:\program files\OperaFly
    2009-08-09 00:53 . 2009-08-08 04:02 70016 ----a-w- c:\documents and settings\BaJohnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-09 00:53 . 2009-08-09 00:52 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Nero
    2009-08-08 23:30 . 2009-08-08 23:26 -------- d-----w- c:\program files\Common Files\Adobe
    2009-08-08 23:30 . 2009-08-08 23:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2009-08-08 23:27 . 2009-08-08 17:11 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Download Manager
    2009-08-08 18:17 . 2009-08-08 17:55 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Mp3tag
    2009-08-08 17:49 . 2009-08-08 17:49 -------- d-----w- c:\program files\AnalogX
    2009-08-08 16:42 . 2009-08-08 16:42 -------- d-----w- c:\program files\Free Download Manager
    2009-08-08 16:42 . 2009-08-08 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
    2009-08-08 16:01 . 2009-08-08 16:01 0 ----a-w- c:\windows\nsreg.dat
    2009-08-08 15:46 . 2009-08-08 15:46 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Avant Profiles
    2009-08-08 15:46 . 2009-08-08 15:46 -------- d-----w- c:\program files\Avant Browser
    2009-08-08 14:51 . 2009-08-08 14:51 -------- d-----w- c:\program files\DivX
    2009-08-08 14:45 . 2009-08-08 14:45 -------- d-----w- c:\program files\VideoLAN
    2009-08-08 14:41 . 2009-08-08 14:39 -------- d-----w- c:\documents and settings\BaJohnson\Application Data\Media Player Classic
    2009-08-08 14:37 . 2009-08-08 14:36 -------- d-----w- c:\program files\K-Lite Codec Pack
    2009-08-08 13:40 . 2009-08-08 13:40 -------- d-----w- c:\program files\XnView
    2009-08-08 13:02 . 2009-08-08 13:02 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-08-08 13:02 . 2009-08-08 13:02 -------- d-----w- c:\program files\Java
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-09-29_16.18.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-09-30 17:22 . 2009-09-30 17:22 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
    + 2009-09-29 17:22 . 2009-09-29 17:22 491520 c:\windows\ERDNT\09-29-2009\Users\00000002\UsrClass.dat
    + 2009-09-29 17:22 . 2005-10-20 16:02 163328 c:\windows\ERDNT\09-29-2009\ERDNT.EXE
    + 2009-09-29 17:22 . 2009-09-29 17:22 4075520 c:\windows\ERDNT\09-29-2009\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} "= "c:\program files\Torrents-Search-Engine\tbTor1.dll" [2009-08-19 2215960]

    [HKEY_CLASSES_ROOT\clsid\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]
    2009-08-19 20:55 2215960 ----a-w- c:\program files\Torrents-Search-Engine\tbTor1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} "= "c:\program files\Torrents-Search-Engine\tbTor1.dll" [2009-08-19 2215960]

    [HKEY_CLASSES_ROOT\clsid\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3B419EE1-1FA8-47B9-9AEC-6B60AC2E3FCA} "= "c:\program files\Torrents-Search-Engine\tbTor1.dll" [2009-08-19 2215960]

    [HKEY_CLASSES_ROOT\clsid\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneTick "= "c:\program files\ZoneTick\zonetick.exe" [2009-08-10 348160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
    "TrueImageMonitor.exe "= "c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-22 4355464]
    "AcronisTimounterMonitor "= "c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-22 960568]
    "AudioDeck "= "c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-08-09 528384]
    "Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Event Viewer.lnk - c:\windows\system32\eventvwr.msc [2001-8-23 56678]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\system32\acaptuser32.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^BaJohnson^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\BaJohnson\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^BaJohnson^Start Menu^Programs^Startup^palmOne Registration.lnk]
    path=c:\documents and settings\BaJohnson\Start Menu\Programs\Startup\palmOne Registration.lnk
    backup=c:\windows\pss\palmOne Registration.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WZCSVC "=2 (0x2)
    "wuauserv "=2 (0x2)
    "RemoteRegistry "=2 (0x2)
    "RasMan "=3 (0x3)
    "RasAuto "=3 (0x3)
    "iPod Service "=3 (0x3)
    "Nero BackItUp Scheduler 4.0 "=2 (0x2)
    "JavaQuickStarterService "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\WINDOWS\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\eSignal\\winros.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Vuze\\Azureus.exe "=
    "c:\\Program Files\\Opera 10 Beta\\opera.exe "=
    "c:\\Program Files\\Opera\\opera.exe "=
    "c:\\Program Files\\ElcomSoft\\Distributed Password Recovery\\esdprs.exe "=
    "c:\\Program Files\\ElcomSoft\\Distributed Password Recovery\\esdpr.exe "=
    "c:\\Program Files\\ElcomSoft\\Distributed Password Recovery\\esda.exe "=
    "c:\\Program Files\\XYplorer\\XYplorer.exe "=
    "c:\\Program Files\\Boson Software\\Boson NetSim for CCNP 7.0\\updates.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12121:TCP "= 12121:TCP:ElcomSoft Distributed Agents TCP Port
    "12122:TCP "= 12122:TCP:ElcomSoft Distributed Password Recovery Console TCP Port
    "7528:TCP "= 7528:TCP:zaafivo

    R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [08/11/2009 5:15 PM 902592]
    R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [08/11/2009 4:04 PM 2208]
    R2 ZTime;ZoneTick Time;c:\program files\ZoneTick\timesync.exe [08/08/2009 6:02 AM 241664]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [08/13/2009 4:58 PM 8704]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [08/13/2009 4:58 PM 3072]
    S4 gupdate1ca1b6c13c112de;Google Update Service (gupdate1ca1b6c13c112de);c:\program files\Google\Update\GoogleUpdate.exe [08/12/2009 12:43 PM 133104]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 16:43]

    2009-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 16:43]

    2009-09-30 c:\windows\Tasks\User_Feed_Synchronization-{3DE85904-E80B-4E86-AB68-588762F534A4}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/advanced_search?q=+&hl=en&lr=&rls=com.microsoft:en-us&num=30
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\BaJohnson\Application Data\Mozilla\Firefox\Profiles\ubsw4zcj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?q=+&num=30&hl=en&lr=&as_qdr=all
    FF - prefs.js: network.proxy.type - 2
    FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-30 18:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker3 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3336)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2009-09-30 18:04
    ComboFix-quarantined-files.txt 2009-09-30 22:04
    ComboFix2.txt 2009-09-29 16:19

    Pre-Run: 194,496,557,056 bytes free
    Post-Run: 194,485,735,424 bytes free

    296
     
    BaSubScribe,
    #3
  5. 2009/10/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    To answer your question...
    Dealing with Combofix readings is a long learning process. It's a very powerful tool and if you're not familiar with it, you can do some serious damages to your computer.
    Running it is A OK, but later on you have to analyze what's left and this is quite time consuming process.

    I didn't find anything suspicious in Combofix log, so...

    Uninstall Combofix:
    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u "
    Restart computer.


    Now, you're not running any AV program, so please, download and install one of these:

    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

    - free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
    NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

    If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use Comodo firewall..
    If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

    IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

    After installation, update the program, run full scan.


    When done....

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #4
  6. 2009/10/02
    BaSubScribe

    BaSubScribe Well-Known Member Thread Starter

    Joined:
    2009/09/29
    Messages:
    6
    Likes Received:
    0
    Before I proceed with the Antivirus programs. I currently use eSignal which is a processor intensive Currency & equity charting program. The reason I have not installed an anti-virus is the use of resources. I found that the eSignal runs soooooooooooooooo much better with the antivirus completely off the machine as opposed to disabled while I am using it. Which one of these AV programs have are the least resource intensive?
     
    BaSubScribe,
    #5
  7. 2009/10/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well, being without any AV program is not smart.
    Both, Avira and Avast are not resource hungry.
     
    broni,
    #6
  8. 2009/10/10
    BaSubScribe

    BaSubScribe Well-Known Member Thread Starter

    Joined:
    2009/09/29
    Messages:
    6
    Likes Received:
    0
    Sorry for the delay. I trade during the week and the scans are time consuming. Im curious, it looks like these programs are redundant. So far we have used Combo Fix, Dr.Wed, Hijack This, Malwarebytes & Security Check. Is there an all in one or are we being extra thorough using different databases from different programs? And I noticed that it even registered one of the security programs as a Virus!!

    Again I apologise for the delay. It in no way reflects the lack of appreciation for what you are doing and what I am learning!!!!!


    ***************************************************************
    Dr. Web Post

    A0000066.exe;C:\System Volume Information\_restore{CC606BF7-A401-4AC3-9140-57FE99E2CB59}\RP3;Trojan.Flood.22016;Deleted.;
    KillWind.exe;D:\APPLICATIONS - Drivers\Drivers - HP Computers\HP a530n\bin;Tool.ProcessKill;;
    rentV3.exe\data027;D:\APPLICATIONS - Setup FIles\Business-Financial\Real Estate\rentV3.exe;Program.RemoteAdmin;;
    rentV3.exe;D:\APPLICATIONS - Setup FIles\Business-Financial\Real Estate;Archive contains infected objects;Moved.;
    Sybex CCNA Cisco Certified Network Associate.exe\Sybex CCNA Cisco Certified Network Associate\Boson\GetPass\GetPass!.exe;D:\APPLICATIONS - Setup FIles\Routing\Cisco\Sybex CCNA Cisco Certified Network Associate.exe;Tool.GetPass.11;;
    Sybex CCNA Cisco Certified Network Associate.exe;D:\APPLICATIONS - Setup FIles\Routing\Cisco;Archive contains infected objects;Moved.;
    SmitfraudFix.exe\SmitfraudFix\Process.exe;D:\APPLICATIONS - Setup FIles\Utilties\Antivirus\SmitfraudFix.exe;Tool.Prockill;;
    SmitfraudFix.exe\SmitfraudFix\restart.exe;D:\APPLICATIONS - Setup FIles\Utilties\Antivirus\SmitfraudFix.exe;Tool.ShutDown.14;;
    SmitfraudFix.exe;D:\APPLICATIONS - Setup FIles\Utilties\Antivirus;Archive contains infected objects;Moved.;
    detach.exe;D:\APPLICATIONS - Setup FIles\Utilties\Process Managers;Trojan.Flood.22016;Deleted.;
    A0095623.exe\data012;D:\System Volume Information\_restore{510DF2C6-185E-42F3-8E3E-5EBE7532EAA9}\RP897\A0095623.exe;Adware.Coupons.34;;
    A0095623.exe\data013;D:\System Volume Information\_restore{510DF2C6-185E-42F3-8E3E-5EBE7532EAA9}\RP897\A0095623.exe;Adware.Coupons.34;;
    A0095623.exe\data015;D:\System Volume Information\_restore{510DF2C6-185E-42F3-8E3E-5EBE7532EAA9}\RP897\A0095623.exe;Adware.Coupons.34;;
    A0095623.exe\data016;D:\System Volume Information\_restore{510DF2C6-185E-42F3-8E3E-5EBE7532EAA9}\RP897\A0095623.exe;Adware.Coupons.34;;
    A0095623.exe;D:\System Volume Information\_restore{510DF2C6-185E-42F3-8E3E-5EBE7532EAA9}\RP897;Container contains infected objects;Moved.;
    GetPass!.exe;D:\Technical Articles - IT\Networking\Cisco Master\Sybex CCNA\Boson\GetPass;Tool.GetPass.11;;

    ******************************************************************
    HIJACK THIS POST
    ****************************************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:02:53 PM, on 10/10/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ZoneTick\zonetick.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\ZoneTick\timesync.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\XYplorer\XYplorer.exe
    D:\APPLICATIONS - Setup FIles\Utilties\Antivirus\Malware Spyware Trojans\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Torrents-Search-Engine Toolbar - {3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - C:\Program Files\Torrents-Search-Engine\tbTor1.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Torrents-Search-Engine Toolbar - {3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - C:\Program Files\Torrents-Search-Engine\tbTor1.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdm2.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Torrents-Search-Engine Toolbar - {3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - C:\Program Files\Torrents-Search-Engine\tbTor1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
    O4 - Global Startup: Event Viewer.lnk = C:\WINDOWS\system32\eventvwr.msc
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249701777234
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet

    Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

    32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ZoneTick Time (ZTime) - Anuko International Ltd. - C:\Program Files\ZoneTick\timesync.exe

    --
    End of file - 8871 bytes
     
    BaSubScribe,
    #7
  9. 2009/10/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Absolutely not. They compliment each other.
    Nope.
    ??

    Also, always make sure, "word wrap" is disabled in Notepad, otherwise, the log is harder to read.

    =================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    nothing malicious to remove

    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    - O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    - O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    - O4 - Global Startup: Event Viewer.lnk = C:\WINDOWS\system32\eventvwr.msc


    5. Click on Fix checked button.

    6. Restart computer.


    When done....


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #8
  10. 2009/10/11
    BaSubScribe

    BaSubScribe Well-Known Member Thread Starter

    Joined:
    2009/09/29
    Messages:
    6
    Likes Received:
    0
    One question before i delete my Nvidia control panel at startup. I am using dual 22 inch monitors with a customized setting for the trading software. Will it throw off my custom default settings. Also I purposely have the event viewer on at startup so I can check the System and Application error and warning messages. Is there a way to alert me via a pop up as they happen so that I can delete the startup?
     
    BaSubScribe,
    #9
  11. 2009/10/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It shouldn't, but you can leave those nVidia entries alone. No biggie.

    I'm not aware of any way to do it.
    Again, no biggie, if you leave that entry alone.
     
    broni,
    #10
  12. 2009/10/12
    BaSubScribe

    BaSubScribe Well-Known Member Thread Starter

    Joined:
    2009/09/29
    Messages:
    6
    Likes Received:
    0
    Everything is clean as a whistle. Thank you and the forum for soooooooo much.
     
    BaSubScribe,
    #11
  13. 2009/10/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
    Happy surfing :)
     
    broni,
    #12

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...