1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Need to make sure this PC is clean

Discussion in 'Malware and Virus Removal Archive' started by BillB, 2009/10/08.

  1. 2009/10/08
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    [Resolved] Need to make sure this PC is clean

    I'm trying to help my sister-in-law cleanup her PC. When I first looked at it, there was a big message in the middle of the desktop that said the machine was infected and windows had been stopped to prevent further infection. There was also an icon in the systray that had a click here balloon to download anti-spyware software. She had Malwarebytes and Spybot but had not updated or scanned with either in months.

    I updated both and ran scans, both found infections and removed them. Avast also found a rootkit infection and quarantined it. Before I return the machine to her I want to make sure it is clean. I'm posting the DDS logs for review, hopefully there will not be anything left to do.

    DDS (Ver_09-09-29.01) - NTFSx86
    Run by Judy at 17:56:56.54 on Thu 10/08/2009
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.492 [GMT -4:00]

    AV: avast! antivirus 4.8.1356 [VPS 091008-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Judy\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://mystart.incredimail.com/
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\ahead\data\xtras\mssysmgr.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe "
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe "
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\PMREMIND.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-27 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-27 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-27 138680]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-27 254040]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-27 352920]

    =============== Created Last 30 ================

    2009-10-08 17:48 <DIR> --d----- c:\program files\SpywareBlaster
    2009-10-06 22:16 0 a------- c:\windows\system32\5705.exe
    2009-10-06 21:16 0 a------- c:\windows\system32\24464.exe
    2009-10-06 20:16 0 a------- c:\windows\system32\26962.exe
    2009-10-06 19:16 0 a------- c:\windows\system32\29358.exe
    2009-10-06 18:16 0 a------- c:\windows\system32\11478.exe
    2009-10-06 17:16 0 a------- c:\windows\system32\15724.exe
    2009-10-06 16:16 0 a------- c:\windows\system32\19169.exe
    2009-10-06 15:16 0 a------- c:\windows\system32\26500.exe
    2009-10-06 14:16 0 a------- c:\windows\system32\6334.exe
    2009-10-06 13:16 0 a------- c:\windows\system32\18467.exe
    2009-10-04 22:35 0 a------- c:\windows\system32\41.exe

    ==================== Find3M ====================

    2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys

    ============= FINISH: 17:59:48.52 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-09-29.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/27/2009 2:20:16 PM
    System Uptime: 10/8/2009 4:40:15 PM (1 hours ago)

    Motherboard: | | M7VKD
    Processor: AMD Athlon(tm) Processor | Socket A | 1302/100mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 19 GiB total, 12.242 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP69: 7/11/2009 3:09:56 PM - System Checkpoint
    RP70: 7/13/2009 3:03:12 PM - System Checkpoint
    RP71: 7/15/2009 3:39:46 PM - System Checkpoint
    RP72: 7/17/2009 10:00:30 AM - System Checkpoint
    RP73: 7/18/2009 4:13:57 PM - System Checkpoint
    RP74: 7/27/2009 4:38:01 PM - System Checkpoint
    RP75: 8/7/2009 10:39:53 AM - System Checkpoint
    RP76: 8/15/2009 12:12:04 PM - System Checkpoint
    RP77: 8/19/2009 2:38:43 PM - System Checkpoint
    RP78: 8/20/2009 2:43:12 PM - System Checkpoint
    RP79: 8/24/2009 9:39:15 AM - System Checkpoint
    RP80: 8/26/2009 9:45:02 AM - System Checkpoint
    RP81: 9/2/2009 12:17:05 PM - System Checkpoint
    RP82: 9/4/2009 2:52:21 PM - System Checkpoint
    RP83: 9/6/2009 4:19:28 PM - System Checkpoint
    RP84: 9/8/2009 9:14:38 AM - System Checkpoint
    RP85: 9/13/2009 3:04:25 PM - System Checkpoint
    RP86: 9/15/2009 12:07:01 PM - System Checkpoint
    RP87: 9/21/2009 9:56:40 AM - System Checkpoint
    RP88: 9/23/2009 12:57:02 PM - System Checkpoint
    RP89: 9/25/2009 9:54:57 AM - System Checkpoint
    RP90: 9/26/2009 10:20:15 AM - System Checkpoint
    RP91: 9/28/2009 11:06:40 AM - System Checkpoint
    RP92: 9/29/2009 11:48:09 AM - System Checkpoint
    RP93: 10/1/2009 5:29:27 PM - System Checkpoint
    RP94: 10/6/2009 1:23:26 PM - System Checkpoint
    RP95: 10/8/2009 9:12:01 AM - System Checkpoint

    ==== Installed Programs ======================

    1300
    1300_Help
    1300Tour
    1300Trb
    Adobe Flash Player 10 ActiveX
    AiO_Scan
    AiOSoftware
    avast! Antivirus
    BufferChm
    Copy
    CreativeProjects
    CreativeProjectsTemplates
    CueTour
    Destinations
    Director
    DocProc
    DocumentViewer
    Fax
    HP Diagnostic Assistant
    HP Image Zone 4.2
    HP PSC & OfficeJet 4.2
    HP Software Update
    HP Unload DLL Patch
    HPSystemDiagnostics
    IncrediMail
    IncrediMail 2.0
    InstantShare
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft Office Professional Edition 2003
    Microsoft Web Publishing Wizard 1.52
    Nero PhotoShow Express
    Nero Suite
    NVIDIA Drivers
    Overland
    PhotoGallery
    Platform
    PrintMaster® Premier 8.0
    PrintScreen
    ProductContext
    QFolder
    QuickProjects
    Readme
    Scan
    Serif DrawPlus 3.0
    SkinsHP1
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    TrayApp
    Unload
    Update for Windows XP (KB931836)
    VIA Platform Device Manager
    WebFldrs XP
    WebReg

    ==== Event Viewer Messages From Past Week ========

    10/6/2009 3:21:27 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
    10/6/2009 3:21:27 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\IncrediMail\bin\MFC80U.DLL. Reference error message: The operation completed successfully. .
    10/6/2009 3:21:27 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
    10/6/2009 12:16:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Antivirus service to connect.
    10/6/2009 12:16:05 PM, error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    10/6/2009 12:15:43 PM, error: ACPI [5] - AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0xcf8), which lies in the 0xcf8 - 0xcff protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
    10/6/2009 12:15:43 PM, error: ACPI [4] - AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0xcfc), which lies in the 0xcf8 - 0xcff protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.

    ==== End Of File ===========================
     
    BillB,
    #1
  2. 2009/10/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/10/08
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Broni,

    Here are the logs you requested;

    ComboFix 09-10-07.05 - Judy 10/08/2009 19:02.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.511 [GMT -4:00]
    Running from: c:\documents and settings\Judy\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1356 [VPS 091008-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\11478.exe
    c:\windows\system32\15724.exe
    c:\windows\system32\18467.exe
    c:\windows\system32\19169.exe
    c:\windows\system32\24464.exe
    c:\windows\system32\26500.exe
    c:\windows\system32\26962.exe
    c:\windows\system32\29358.exe
    c:\windows\system32\41.exe
    c:\windows\system32\5705.exe
    c:\windows\system32\6334.exe

    Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
    Kitty ate it :)
    .
    ((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
    .

    2009-10-08 21:48 . 2009-10-08 21:48 -------- d-----w- c:\program files\SpywareBlaster

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-10-08 21:49 . 2009-02-27 20:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-10-08 20:08 . 2009-02-27 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-08 17:02 . 2009-02-27 20:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-09-15 10:59 . 2009-02-27 20:51 1279968 ----a-w- c:\windows\system32\aswBoot.exe
    2009-09-15 10:56 . 2009-02-27 20:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2009-09-15 10:56 . 2009-02-27 20:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2009-09-15 10:55 . 2009-02-27 20:51 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2009-09-15 10:55 . 2009-02-27 20:51 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2009-09-15 10:54 . 2009-02-27 20:52 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-09-15 10:54 . 2009-02-27 20:52 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-09-15 10:53 . 2009-02-27 20:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2009-09-15 10:53 . 2009-02-27 20:52 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2009-09-10 18:54 . 2009-02-27 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 18:53 . 2009-02-27 20:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PhotoShow Deluxe Media Manager "= "c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
    "IncrediMail "= "c:\program files\IncrediMail\bin\IncMail.exe" [2009-06-26 271744]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
    "HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
    "NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMREMIND.EXE [2009-3-10 327680]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe "=
    "c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe "=
    "c:\\Program Files\\IncrediMail\\Bin\\ImpCnt.exe "=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/27/2009 4:51 PM 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/27/2009 4:51 PM 20560]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mystart.incredimail.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-08 19:10
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2009-10-08 19:12
    ComboFix-quarantined-files.txt 2009-10-08 23:12

    Pre-Run: 13,072,846,848 bytes free
    Post-Run: 13,161,533,440 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    102


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:20:06 PM, on 10/8/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\IncrediMail\bin\IMApp.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 4436 bytes
     
    BillB,
    #3
  5. 2009/10/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ================================================================

    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.
    NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

    ================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    nothing malicious to remove

    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    - O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    - O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    - O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    - O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    - O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    - O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
    - O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    - O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    - O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe


    5. Click on Fix checked button.

    6. Restart computer.

    ==============================================================

    When done....


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #4
  6. 2009/10/09
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    The machine is doing much better now, even a little faster on boot. Thanks very much for the help. Now if I can just get her to keep the programs up to date and run periodic scans..
     
    BillB,
    #5
  7. 2009/10/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's a serious task....LOL
    Good luck :)
     
    broni,
    #6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...