1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Need some help with a sick laptop

Discussion in 'Malware and Virus Removal Archive' started by BillB, 2010/02/04.

  1. 2010/02/04
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    [Resolved] Need some help with a sick laptop

    I'm trying to help a friend with a very sick laptop. When I got it, you could not open any programs, if you double clicked on anything, nothing happened. There were constant pop-ups warning about the pc being infected with viruses and malware (I noticed Superantivirus and Winantivirus icons on the desktop). I had to take the hard drive out to do an initial scan as I could not get any install files to run to install Malwarebytes, etc. After scanning from another pc, I did get a much cleaner boot and was able to get Malwarebytes, Spybot and Avast to install, updated each and ran scans. They all cleaned up a bunch more stuff. The pc is running much better than when I first booted it, but as bad as it was I'm sure I'm not done.

    I'm including the logs from DDS for someone to review, hopefully there's not too much more malware on it.

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by windows xp at 15:31:35.76 on Thu 02/04/2010
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.308 [GMT -5:00]

    AV: avast! antivirus 4.8.1368 [VPS 100204-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\windows xp\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {fbd5ac2c-1d70-4e85-800d-20e3521c401d} - c:\windows\system32\qoMgeCuR.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: Starware Videos Toolbar: {6e4cc754-caa4-4576-9af1-68323d5760d4} - c:\program files\starware408\bin\Starware408.dll
    TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
    EB: Zango Information Window: {cfc5345b-5d1f-4686-bae0-b3ba4ee3acc7} - c:\program files\zango\bin\10.1.181.0\HostIE.dll
    EB: Starware408: {028afca6-990a-4c6e-b6fb-f4746b81abf7} - c:\program files\starware408\bin\Starware408.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [WinAntivirusPro] c:\program files\winantiviruspro3.8\WinAntivirusPro.exe
    uRun: [msnmsgr] "c:\progra~1\wi1f86~1\messen~1\msnmsgr.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\newsfl~1.lnk - c:\program files\common files\mysoftware\Newsflsh.exe
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202175447593
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202189616281
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    AppInit_DLLs: qgouix.dll abwbuh.dll
    LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMgeCuR

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-2-4 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-4 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-2-4 138680]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-2-4 254040]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-2-4 352920]

    =============== Created Last 30 ================

    2010-02-04 17:42:12 499712 ----a-w- c:\windows\system32\MSVCP71.dll
    2010-02-04 17:42:12 348160 ----a-w- c:\windows\system32\MSVCR71.dll
    2010-02-04 17:42:12 1060864 ----a-w- c:\windows\system32\MFC71.dll
    2010-02-04 15:19:03 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-04 15:19:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-02-04 13:49:02 0 d-----w- c:\docume~1\window~1\applic~1\Malwarebytes
    2010-02-04 13:48:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-04 13:48:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-04 13:48:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-04 13:48:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-02-03 00:20:44 0 d-----w- C:\tmp
    2010-02-03 00:17:08 244 ---ha-w- C:\sqmnoopt03.sqm
    2010-02-03 00:17:08 232 ---ha-w- C:\sqmdata03.sqm

    ==================== Find3M ====================

    2008-06-22 18:19:08 4096 --sha-w- c:\windows\system32\1112.dat

    ============= FINISH: 15:32:11.34 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/1/2008 3:42:05 PM
    System Uptime: 2/4/2010 12:49:40 PM (3 hours ago)

    Motherboard: Hewlett-Packard | | 308A
    Processor: Intel(R) Pentium(R) M processor 1.73GHz | U10 | 1729/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 37 GiB total, 31.618 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller (VGA Compatible)
    Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_308A103C&REV_03\3&B1BFB68&0&10
    Manufacturer:
    Name: Video Controller (VGA Compatible)
    PNP Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_308A103C&REV_03\3&B1BFB68&0&10
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller
    Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_308A103C&REV_03\3&B1BFB68&0&11
    Manufacturer:
    Name: Video Controller
    PNP Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_308A103C&REV_03\3&B1BFB68&0&11
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: HP integrated Bluetooth module
    Device ID: USB\VID_03F0&PID_011D\5&2257792&0&2
    Manufacturer:
    Name: HP integrated Bluetooth module
    PNP Device ID: USB\VID_03F0&PID_011D\5&2257792&0&2
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Mass Storage Controller
    Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_0944103C&REV_00\4&AD1B67F&0&33F0
    Manufacturer:
    Name: Mass Storage Controller
    PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_0944103C&REV_00\4&AD1B67F&0&33F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_104C&DEV_8035&SUBSYS_0944103C&REV_00\4&AD1B67F&0&35F0
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_104C&DEV_8035&SUBSYS_0944103C&REV_00\4&AD1B67F&0&35F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_0944103C&REV_03\3&B1BFB68&0&F3
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_0944103C&REV_03\3&B1BFB68&0&F3
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\HPQ0006\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\HPQ0006\2&DABA3FF&0
    Service:

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Acrobat 5.0
    Adobe Flash Player ActiveX
    avast! Antivirus
    Design & Print, Business Edition
    Drivers Install For Linksys Easylink Advisor
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB915865)
    HP Integrated Wireless LAN W400-W500 Driver
    InterActual Player
    InterVideo WinDVD
    Linksys EasyLink Advisor 1.6 (0032)
    Macromedia Flash Player 8
    Malwarebytes' Anti-Malware
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    MyDataBase
    MyInvoices & Estimates Deluxe
    MySoftware Fonts
    Newsflash
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 8 (KB917734)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    SoundMAX
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live installer
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2

    ==== Event Viewer Messages From Past Week ========

    2/4/2010 12:05:03 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    2/3/2010 9:45:10 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The system cannot find the file specified.
    2/2/2010 7:32:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    2/2/2010 7:32:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/2/2010 7:31:30 PM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 00166F6123CE has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    2/2/2010 7:13:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
    2/2/2010 7:13:33 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    ==== End Of File ===========================
     
    BillB,
    #1
  2. 2010/02/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt " along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/02/04
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Broni,

    Thanks for the quick reply. Here are the logs you requested.

    ComboFix 10-02-04.01 - windows xp 02/04/2010 16:32:39.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.307 [GMT -5:00]
    Running from: c:\documents and settings\windows xp\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1368 [VPS 100204-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Start Menu\Programs\Startup\Newsflash.lnk
    C:\xcrashdump.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
    .

    2010-02-04 20:34 . 2010-02-04 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-04 20:34 . 2010-02-04 20:35 -------- d-----w- c:\program files\SpywareBlaster
    2010-02-04 17:43 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-02-04 17:43 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-02-04 17:43 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-02-04 17:43 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2010-02-04 17:43 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-02-04 17:43 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-02-04 17:43 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-02-04 17:43 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-02-04 17:42 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
    2010-02-04 17:42 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
    2010-02-04 17:42 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
    2010-02-04 17:42 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
    2010-02-04 17:41 . 2010-02-04 17:41 -------- d-----w- c:\program files\Alwil Software
    2010-02-04 15:19 . 2010-02-04 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-04 15:19 . 2010-02-04 15:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-04 13:49 . 2010-02-04 13:49 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-02-04 13:49 . 2010-02-04 13:49 -------- d-----w- c:\documents and settings\windows xp\Application Data\Malwarebytes
    2010-02-04 13:48 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-04 13:48 . 2010-02-04 13:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-04 13:48 . 2010-02-04 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-04 13:48 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-03 00:20 . 2010-02-03 00:24 -------- d-----w- C:\tmp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-04 15:11 . 2008-06-09 11:03 -------- d-----w- c:\program files\SAV
    2008-06-22 18:19 . 2008-06-22 18:19 4096 --sha-w- c:\windows\system32\1112.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr "= "c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/4/2010 12:43 PM 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/4/2010 12:43 PM 20560]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-04 c:\windows\Tasks\?? Windows Live Toolbar ??.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{FBD5AC2C-1D70-4E85-800D-20E3521C401D} - c:\windows\system32\qoMgeCuR.dll
    Toolbar-{6e4cc754-caa4-4576-9af1-68323d5760d4} - c:\program files\Starware408\bin\Starware408.dll
    WebBrowser-{E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-04 16:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-02-04 16:51:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-04 21:51

    Pre-Run: 33,865,035,776 bytes free
    Post-Run: 33,791,627,264 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - 0B333D4ED53B595E4E678C3DE82243D2


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:53:57 PM, on 2/4/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEZHCN/SAOS01?FORM=TOOLBR
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1202175447593
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1202189616281
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 3694 bytes
     
    BillB,
    #3
  5. 2010/02/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\1112.dat


Folder::

Driver::

Registry::

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #4
  6. 2010/02/05
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Here are the new logs;

    ComboFix 10-02-04.06 - windows xp 02/05/2010 8:58.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.299 [GMT -5:00]
    Running from: c:\documents and settings\windows xp\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\windows xp\Desktop\CFScript.txt
    AV: avast! antivirus 4.8.1368 [VPS 100204-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\windows\system32\1112.dat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\1112.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
    .

    2010-02-05 13:39 . 2010-02-05 13:55 -------- d-----w- c:\windows\LastGood
    2010-02-04 21:53 . 2010-02-04 21:53 -------- d-----w- c:\program files\Trend Micro
    2010-02-04 20:34 . 2010-02-04 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-04 20:34 . 2010-02-04 20:35 -------- d-----w- c:\program files\SpywareBlaster
    2010-02-04 17:43 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-02-04 17:43 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-02-04 17:43 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-02-04 17:43 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2010-02-04 17:43 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-02-04 17:43 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-02-04 17:43 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-02-04 17:43 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-02-04 17:42 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
    2010-02-04 17:42 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
    2010-02-04 17:42 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
    2010-02-04 17:42 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
    2010-02-04 17:41 . 2010-02-04 17:41 -------- d-----w- c:\program files\Alwil Software
    2010-02-04 15:19 . 2010-02-04 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-04 15:19 . 2010-02-04 15:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-04 13:49 . 2010-02-04 13:49 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-02-04 13:49 . 2010-02-04 13:49 -------- d-----w- c:\documents and settings\windows xp\Application Data\Malwarebytes
    2010-02-04 13:48 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-04 13:48 . 2010-02-04 13:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-04 13:48 . 2010-02-04 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-04 13:48 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-03 00:20 . 2010-02-03 00:24 -------- d-----w- C:\tmp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-04 15:11 . 2008-06-09 11:03 -------- d-----w- c:\program files\SAV
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr "= "c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/4/2010 12:43 PM 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/4/2010 12:43 PM 20560]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-04 c:\windows\Tasks\?? Windows Live Toolbar ??.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-05 09:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-02-05 09:08:26
    ComboFix-quarantined-files.txt 2010-02-05 14:08
    ComboFix2.txt 2010-02-04 21:51

    Pre-Run: 33,643,298,816 bytes free
    Post-Run: 33,607,905,280 bytes free

    - - End Of File - - DCFC275A846437BF2F06C95364C02265


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:22:37 AM, on 2/5/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEZHCN/SAOS01?FORM=TOOLBR
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1202175447593
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1202189616281
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 3694 bytes
     
    BillB,
    #5
  7. 2010/02/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    Things look pretty clean, but let's make sure...

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.
     
    broni,
    #6
  8. 2010/02/05
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    I've uninstalled Combofix, I ran the temp file cleaner and the Kaspersky scan. Here is the log from the scan.

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, February 5, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, February 05, 2010 21:10:10
    Records in database: 3432485
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 47834
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 02:06:10

    No threats found. Scanned area is clean.

    Selected area has been scanned.
     
    BillB,
    #7
  9. 2010/02/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #8
  10. 2010/02/06
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    It's amazing, when I first got this machine I didn't think cleaning it would be possible. It is running much better now, all the problems have disappeared.

    I had already turned off system restore, it was so infected that I knew the restore points were most likely no good. I have turned it back on now and installed WOT. It's downloading updates now and as soon as that is finished I'm going to run the defrag and it should be ready to go back.

    Thanks for the help with this, it's a much better running machine than it was a few days ago. I'm going to be opening another thread for another laptop from the same person soon, it's not as bad as this one but bad enough.

    With any luck they will use the software that I've installed to keep it clean going forward. There was no antivirus or spyware software installed at all.
     
    BillB,
    #9
  11. 2010/02/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news :)
    Good luck :)
     
    broni,
    #10

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...