1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Vista help w/Bing zugo thing!

Discussion in 'Malware and Virus Removal Archive' started by Blue Star, 2010/03/26.

Page 3 of 8
  1. 2010/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This is not good...

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #41
  2. 2010/03/29
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    ok.....
    Just got your instructions for Combofix.. Printed it out. I will log off here and concentrate on that procedure... will let you know asap...
    'Thanks,

    Ari
     
    Blue Star,
    #42


  3. to hide this advert.

  4. 2010/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)...
     
    broni,
    #43
    Blue Star likes this.
  5. 2010/03/29
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Combofix log... running HJT now...


    ComboFix 10-03-29.02 - Owner 03/30/2010 0:06.1.2 - x86
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.1917.1256 [GMT -4:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-130138720-939633000-316282223-500
    C:\install.exe
    c:\program files\INSTALL.LOG
    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\basis.xml
    c:\program files\Search Toolbar\bg.bmp
    c:\program files\Search Toolbar\bing_logo.png
    c:\program files\Search Toolbar\celebrity.png
    c:\program files\Search Toolbar\drop_images.png
    c:\program files\Search Toolbar\drop_maps.png
    c:\program files\Search Toolbar\drop_news.png
    c:\program files\Search Toolbar\drop_videos.png
    c:\program files\Search Toolbar\drop_web.png
    c:\program files\Search Toolbar\facebook.png
    c:\program files\Search Toolbar\favicon.png
    c:\program files\Search Toolbar\games.png
    c:\program files\Search Toolbar\hotmail.png
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\images.png
    c:\program files\Search Toolbar\include.xml
    c:\program files\Search Toolbar\info.txt
    c:\program files\Search Toolbar\lifestyle.png
    c:\program files\Search Toolbar\maps.png
    c:\program files\Search Toolbar\messenger.png
    c:\program files\Search Toolbar\msn.png
    c:\program files\Search Toolbar\news.png
    c:\program files\Search Toolbar\SearchToolbar.dll
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\twitter.png
    c:\program files\Search Toolbar\uninstall.exe
    c:\program files\Search Toolbar\update.exe
    c:\program files\Search Toolbar\version.txt
    c:\program files\Search Toolbar\video.png
    c:\program files\Search Toolbar\videos.png
    c:\program files\Search Toolbar\weather.png
    c:\program files\Search Toolbar\web.png

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
    .

    2010-03-30 04:13 . 2010-03-30 04:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-03-28 17:02 . 2010-03-28 17:02 -------- d-----w- c:\program files\ESET
    2010-03-28 01:02 . 2010-03-28 01:02 -------- d-----w- c:\windows\BDOSCAN8
    2010-03-27 01:22 . 2010-03-27 01:22 -------- d-----w- C:\_OTL
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
    2010-03-26 19:52 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\programdata\Malwarebytes
    2010-03-26 19:52 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-25 14:12 . 2010-03-25 14:12 16384 ---ha-w- C:\SZKGFS.dat
    2010-03-25 14:10 . 2010-03-25 14:10 -------- d-----w- c:\programdata\SITEguard
    2010-03-25 14:08 . 2010-03-25 14:08 -------- d-----w- c:\program files\Common Files\iS3
    2010-03-25 14:08 . 2010-03-27 00:46 -------- d-----w- c:\programdata\STOPzilla!
    2010-03-10 02:37 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-10 02:37 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-10 02:37 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-26 23:59 . 2010-03-26 21:03 888 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-17 07:34 . 2009-11-18 18:20 -------- d-----w- c:\programdata\NOS
    2010-03-10 06:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-09 22:23 . 2009-11-18 20:26 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-03-04 06:45 . 2009-11-20 05:12 -------- d-----w- c:\program files\Google
    2010-03-02 14:46 . 2010-02-26 12:33 -------- d-----w- c:\program files\AutocompletePro
    2010-02-25 02:01 . 2010-02-25 02:01 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb3834.tmp.exe
    2010-02-25 00:22 . 2009-11-18 13:53 49168 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 14:16 . 2009-11-18 15:04 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-23 00:59 . 2010-02-23 00:59 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-02-22 14:13 . 2009-11-18 18:22 -------- d-----w- c:\program files\Common Files\Adobe
    2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    2010-01-25 12:00 . 2010-02-24 03:41 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-24 03:41 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-24 03:41 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-24 03:41 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-24 03:41 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-24 03:41 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-24 03:41 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-24 03:41 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-24 03:41 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:26 . 2010-02-24 03:41 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-06 15:39 . 2010-02-24 03:40 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38 . 2010-02-24 03:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 15:38 . 2010-02-24 03:40 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-02-24 03:40 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-06 15:38 . 2010-02-24 03:40 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-01-06 15:38 . 2010-02-24 03:40 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 13:30 . 2010-02-24 03:40 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-01-02 06:38 . 2010-01-22 15:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32 . 2010-01-22 15:55 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32 . 2010-01-22 15:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57 . 2010-01-22 15:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update "= "c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "EEventManager "= "c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2 "=hex(b):17,1b,e5,60,58,6c,ca,01

    R2 gupdate1ca69a01600bf40;Google Update Service (gupdate1ca69a01600bf40);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 133104]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 05:12]

    2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 05:12]

    2010-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2975667946-567017948-1869616947-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 05:27]

    2010-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2975667946-567017948-1869616947-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 05:27]

    2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{A1E0E7D0-0604-42BB-9493-4287CCC2E5E2}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://yahoo.com/
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    AddRemove-HijackThis - c:\users\Owner\Desktop\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-30 00:13
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    Completion time: 2010-03-30 00:16:02
    ComboFix-quarantined-files.txt 2010-03-30 04:16

    Pre-Run: 180,551,856,128 bytes free
    Post-Run: 180,613,693,440 bytes free

    - - End Of File - - F9D349867CFC30C3752ADE864CB99FA2
     
    Blue Star,
    #44
  6. 2010/03/29
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    ...HJT log...Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:19:17 AM, on 3/30/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 3710 bytes
     
    Blue Star,
    #45
  7. 2010/03/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Are you still getting that pop-up?


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
C:\SZKGFS.dat


Folder::
c:\programdata\SITEguard
c:\program files\Common Files\iS3
c:\programdata\STOPzilla!
c:\windows\system32\drivers\kgpcpy.cfg


Driver::

Registry::

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #46
  8. 2010/03/30
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Start... Run...

    Does that apply to Vista? I don't see it...sorry
     
    Blue Star,
    #47
  9. 2010/03/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Type notepad .exe in "Start search" and press Enter.
     
    broni,
    #48
  10. 2010/03/30
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Thanks for sticking with me Broni... here's the letest ComboFix....

    ComboFix 10-03-29.04 - Owner 03/30/2010 23:50:45.3.2 - x86
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.1917.1307 [GMT -4:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\Owner\Desktop\CFScript.txt
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "C:\SZKGFS.dat "
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
    .

    2010-03-31 03:57 . 2010-03-31 03:57 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-03-31 03:57 . 2010-03-31 03:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-03-30 17:42 . 2010-03-30 17:42 -------- d-----w- c:\program files\Common Files\Java
    2010-03-28 17:02 . 2010-03-28 17:02 -------- d-----w- c:\program files\ESET
    2010-03-28 01:02 . 2010-03-28 01:02 -------- d-----w- c:\windows\BDOSCAN8
    2010-03-27 01:22 . 2010-03-27 01:22 -------- d-----w- C:\_OTL
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
    2010-03-26 19:52 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\programdata\Malwarebytes
    2010-03-26 19:52 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-26 19:52 . 2010-03-26 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-10 02:37 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-10 02:37 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-10 02:37 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-26 23:59 . 2010-03-26 21:03 888 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-17 07:34 . 2009-11-18 18:20 -------- d-----w- c:\programdata\NOS
    2010-03-10 06:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-09 22:23 . 2009-11-18 20:26 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-03-04 06:45 . 2009-11-20 05:12 -------- d-----w- c:\program files\Google
    2010-03-02 14:46 . 2010-02-26 12:33 -------- d-----w- c:\program files\AutocompletePro
    2010-02-25 02:01 . 2010-02-25 02:01 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb3834.tmp.exe
    2010-02-25 00:22 . 2009-11-18 13:53 49168 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 14:16 . 2009-11-18 15:04 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-23 00:59 . 2010-02-23 00:59 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-02-22 14:13 . 2009-11-18 18:22 -------- d-----w- c:\program files\Common Files\Adobe
    2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    2010-01-25 12:00 . 2010-02-24 03:41 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-24 03:41 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-24 03:41 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-24 03:41 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-24 03:41 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-24 03:41 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-24 03:41 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-24 03:41 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-24 03:41 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:26 . 2010-02-24 03:41 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-06 15:39 . 2010-02-24 03:40 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38 . 2010-02-24 03:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 15:38 . 2010-02-24 03:40 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-02-24 03:40 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-06 15:38 . 2010-02-24 03:40 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-01-06 15:38 . 2010-02-24 03:40 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 13:30 . 2010-02-24 03:40 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-01-02 06:38 . 2010-01-22 15:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32 . 2010-01-22 15:55 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32 . 2010-01-22 15:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57 . 2010-01-22 15:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-03-31_03.00.28 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2006-11-02 13:04 . 2010-03-31 03:42 56632 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 13:04 . 2010-03-30 19:37 56632 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2009-11-18 13:52 . 2010-03-30 19:35 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-18 13:52 . 2010-03-31 03:42 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-03-27 06:27 . 2010-03-30 19:35 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-03-27 06:27 . 2010-03-31 03:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-11-18 13:52 . 2010-03-30 19:35 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-18 13:52 . 2010-03-31 03:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-18 13:54 . 2010-03-31 03:42 8080 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2975667946-567017948-1869616947-1000_UserData.bin
    + 2010-03-28 22:18 . 2010-03-31 03:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-03-28 22:18 . 2010-03-30 19:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-03-28 22:18 . 2010-03-30 19:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-03-28 22:18 . 2010-03-31 03:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 10:33 . 2010-03-31 03:46 595684 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2010-03-30 19:41 595684 c:\windows\System32\perfh009.dat
    - 2006-11-02 10:33 . 2010-03-30 19:41 101350 c:\windows\System32\perfc009.dat
    + 2006-11-02 10:33 . 2010-03-31 03:46 101350 c:\windows\System32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update "= "c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "EEventManager "= "c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2 "=hex(b):17,1b,e5,60,58,6c,ca,01

    R2 gupdate1ca69a01600bf40;Google Update Service (gupdate1ca69a01600bf40);c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 133104]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 05:12]

    2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 05:12]

    2010-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2975667946-567017948-1869616947-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 05:27]

    2010-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2975667946-567017948-1869616947-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 05:27]

    2010-03-31 c:\windows\Tasks\User_Feed_Synchronization-{A1E0E7D0-0604-42BB-9493-4287CCC2E5E2}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://yahoo.com/
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-30 23:57
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    Completion time: 2010-03-30 23:59:52
    ComboFix-quarantined-files.txt 2010-03-31 03:59
    ComboFix2.txt 2010-03-31 03:03
    ComboFix3.txt 2010-03-30 04:16

    Pre-Run: 181,318,176,768 bytes free
    Post-Run: 181,307,236,352 bytes free

    - - End Of File - - 4F510E3ACD2904BFBFD168764177C4BA


    HJT....
     
    Blue Star,
    #49
  11. 2010/03/30
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    HJT log....

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:03:23 AM, on 3/31/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\Explorer.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 3528 bytes
     
    Blue Star,
    #50
  12. 2010/03/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Are you still getting that security pop-up?
     
    broni,
    #51
  13. 2010/03/31
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Did not get it today, but still freezing and crashing...
     
    Blue Star,
    #52
  14. 2010/03/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ==============================================================

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Post fresh HijackThis log as well.
     
    broni,
    #53
  15. 2010/04/01
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Blue Star,
    #54
  16. 2010/04/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok........
     
    broni,
    #55
  17. 2010/04/01
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    The first Dr. Web scan produced a message which said HOST had been changed and did I want to restore HOST to default and I accepted the restore.


    Running full scan now.... looks like it will take a few hours.
     
    Blue Star,
    #56
  18. 2010/04/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
     
    broni,
    #57
  19. 2010/04/02
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    Have tried to run Dr.Web several times. The first scan goes ok... with nothing to report. The complete scan fails every time, but insists there are viruses present and then shuts down.
     
    Blue Star,
    #58
  20. 2010/04/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #59
  21. 2010/04/05
    Blue Star

    Blue Star Well-Known Member Thread Starter

    Joined:
    2010/03/25
    Messages:
    454
    Likes Received:
    2
    hjt.... The error screen said it was denied write access to host files and I would need to fix this manually....

    hjt log....

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:28:01 PM, on 4/5/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    --
    End of file - 3582 bytes


    Kapersky....


    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, April 4, 2010
    Operating system: Microsoft Windows Vista Enterprise Edition, 32-bit Service Pack 2 (build 6002)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, April 03, 2010 19:07:59
    Records in database: 3913920
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 157287
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 02:14:05

    No threats found. Scanned area is clean.

    Selected area has been scanned.
     
    Blue Star,
    #60
Page 3 of 8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...