Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

Win32.conflicker.c problem

This is a discussion on Win32.conflicker.c problem within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Thank you in advance for any help that you are able to provide. My computer has several things wrong with


Reply
 
Thread Tools Search this Thread
Old 09-08-2009, 12:16 AM   #1
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Thank you in advance for any help that you are able to provide.

My computer has several things wrong with it, I think that I have some type of virus. First there is a Security Center Alert which appears about every 10 minutes it reads:

"To help protect your computer, Windows Firewall has blocked some features of this program.

Do you want to block this suspicious software?

Name: Win32.Conflicker.C
Risk Level: High
Description: This worm exploits a known vulnerability (MS08-067) in the Windows service and can be commanded remotely by its authors."

There are then three buttons Keep Blocking, Unblock, and Enable Protection (the first two are greyed out and cannot be used).
At the bottom a statement reads "Windows Firewall has detected unauthorized activity, but unfortunately it cannot help you to remove viruses, keyloggers and other spyware threats that steal your personal information from your computer. Click to download and activate protection." The last sentence is a hyperlink.

This virus? also disables the windows firewall everytime I restart the computer (I enable the firewall each time I restart). Additionally, the virus? makes it impossible for me to use firefox or internet explorer. It tells me that there has been an unexpected error and I am redirected to a site that tries to coax me into buying some software called proof defender. My virus scanner (F secure) finds no viruses and I am not sure what to do. Please let me know if you need any more information. Thank you kindly for any assistance. I have attached all the files which your site has requested, unfortunately the rootkit software would not allow me to save the scan so I copied the window to wordpad and then zipped it with with attach.txt. Please let me know how I can save the file if this will not work. (I have had to save them on a memory stick and send them using another computer because my browsers don't work).



DDS (Ver_09-07-30.01) - NTFSx86
Run by localuser at 23:55:31,14 on 07.09.2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.47.1033.18.2038.1297 [GMT 2:00]

AV: F-Secure Anti-Virus 5.43 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\localuser\Application Data\Gmail\rygwz7313434.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\localuser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Universitetet i Oslo
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [cdoosoft] c:\windows\system32\olhrwef.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)" -"http://www.eadultgames.com/games/strip_poker/free_sexy_blonde_girl_tracy.html"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SwdisUsrPCN.riget267] "c:\tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "c:\swdis\wdusrpcn.envriget267"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [realtekc] "c:\documents and settings\localuser\application data\gmail\rygwz7313434.exe" 2
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {09CC26E4-F012-4FF0-A0A1-F21F8535EA85} - hxxps://tavle.uio.no/links/oes-tavle.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 TivoliAP

============= SERVICES / DRIVERS ===============

R2 BackWeb Client - 7681197;F-Secure BackWeb;c:\progra~1\f-secure\backweb\7681197\program\SERVIC~1.EXE [2006-7-10 16384]
R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [2007-5-22 10752]
R2 EPGService;EPGService;c:\progra~1\wintv\epg services\system\EPGService.exe [2008-7-18 436224]
R2 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\FSfilter.sys [2006-7-10 48720]
R2 F-Secure Gatekeeper Handler Starter;F-Secure Gatekeeper Handler Starter;c:\program files\f-secure\anti-virus\fsgk32st.exe [2006-7-10 45056]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\win2k\fsgk.sys [2006-7-10 42672]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\FSrec.sys [2006-7-10 16048]
R2 FSpm;F-Secure Policy Manager;c:\program files\f-secure\common\FSpm.sys [2006-7-10 65328]
R2 lcfd;Tivoli Endpoint;c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [2006-8-8 167936]
R3 F-Secure Network Request Broker;F-Secure Network Request Broker;c:\program files\f-secure\common\FNRB32.exe [2006-7-10 110668]
S2 FSAA;F-Secure Authentication Agent;c:\program files\f-secure\common\fsaa.exe [2006-7-10 225280]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys --> c:\windows\system32\drivers\cdaudio.sys [?]
S3 F-Secure BackWeb LAN Access;F-Secure BackWeb LAN Access;c:\program files\f-secure\backweb\7681197\program\fsbwlan.exe [2006-7-10 39936]
S3 hcw66xxx;WinTV HVR-900H;c:\windows\system32\drivers\hcw66xxx.sys [2008-7-18 418304]

=============== Created Last 30 ================

2009-09-07 23:55 103,184 ---shr-- C:\9dlvtiil.exe
2009-09-07 23:55 63 ---shr-- C:\autorun.inf
2009-09-07 23:54 103,184 ---shr-- c:\windows\system32\olhrwef.exe
2009-09-07 23:54 88,064 ---shr-- c:\windows\system32\nmdfgds0.dll
2009-09-07 18:56 <DIR> --d----- c:\program files\trend micro
2009-09-06 23:39 4,958,032 a------- c:\docume~1\localu~1\applic~1\pdinstall.exe
2009-09-06 22:58 43,180 a------- c:\windows\system32\drivers\svchost.exe
2009-09-06 22:58 <DIR> --d----- c:\docume~1\localu~1\applic~1\Gmail
2009-08-30 01:46 <DIR> --d----- c:\docume~1\localu~1\applic~1\StreamTorrent
2009-08-21 17:49 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-21 08:35 <DIR> --d----- C:\0fdd1523aec5c393c5d3ad9ab7c36389
2009-08-20 08:01 <DIR> --d----- C:\610187485c14773d6bb2
2009-08-20 08:01 <DIR> --d----- C:\516f78aa11a0780608c1
2009-08-11 20:10 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 20:10 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 19:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 10:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 10:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 10:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 10:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 10:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 10:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 16:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 14:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 14:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 16:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 08:14 132,096 a------- c:\windows\system32\wkssvc.dll
2008-04-25 16:45 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 23:56:19,14 ===============
Attached Files
File Type: zip attach.zip (3.6 KB, 12 views)

__________________
adrobert is offline   Reply With Quote
Old 09-08-2009, 07:07 AM   #2
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

Since your working in another computer to post your logs. Please read the instruction before your proceed. Download the necessary files as stated in the fixes. You may use flash drive to transfer the files. We will try to restore your internet connection after this fix.

--------------------------------------------------------------------------
Download ComboFix from one of these locations:

Link 1
Link 2


With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


  • At the next prompt, click Yes'.


    Do not proceed if the Recovery installation failed.

  • Please post back C:\Combofix.txt.

Please post it in your next reply.

__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-08-2009, 01:07 PM   #3
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi,

Thank you very much for your quick reply.

I have attached the combofix.txt file which was generated after the combofix tool finished. The computer restarted in the middle of running the program (which I think was supposed to happen). My virus scanner was turned on when my computer was restarted. I turned it off quickly after restarting. I still get the same message which pops up; however, my firewall was not disabled this time. Please let me know what I should do next and if you need any other information. Thank you again.
Attached Files
File Type: txt combofix.txt (38.9 KB, 7 views)
__________________
adrobert is offline   Reply With Quote
Old 09-08-2009, 09:06 PM   #4
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

Does this computer belong to your comapny or university? Let me know.

Please connect your computer to internet. We need to submit some samples.


Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/412089-win32-conflicker-c-problem.html#post2333512

COLLECT::
c:\documents and settings\localuser\Application Data\Gmail\rygwz7313434.exe
DIRLOOK::
C:\0fdd1523aec5c393c5d3ad9ab7c36389
C:\610187485c14773d6bb2
C:\516f78aa11a0780608c1
REGLOCK::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


**Note**

When CF finishes running, it pops out with the CF log and this message box:



Clicking OK will begin the auto-upload of the zipped file.




-----------

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file.
------------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

Security application
Norton Security Scan


Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

Java(TM) 6 Update 5
Java(TM) 6 Update 7


Your Java is out of date.

Java(TM) 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

------------------------------------------------------------------------

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.


Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

========================================================
*note
Ensure your AntiVirus and AntiSpyware applications are re-enabled.



In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-09-2009, 01:16 AM   #5
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi again,

Thank you very much for you help and speedy reply.
I have attached the combofix.txt file which you requsted and below is the ESET scan result. The ESET scan found 18 threats (that I have not attempted to remove, I will wait for your help with this), I think you will be able to find the threats in the report below.
My computer appears to be operating normally and I can use my internet browser. This computer belongs to the university where I am currently employed.

Thank you again.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=a386c37e573dda448ac7beff07a39346
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-09 07:18:08
# local_time=2009-09-09 09:18:08 (+0100, W. Europe Daylight Time)
# country="Norway"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=2305 21 71 23 999641396939426
# scanned=4333
# found=0
# cleaned=0
# scan_time=140
esets_scanner_update returned -1 esets_gle=53251
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=a386c37e573dda448ac7beff07a39346
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-09 08:05:07
# local_time=2009-09-09 10:05:07 (+0100, W. Europe Daylight Time)
# country="Norway"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=2305 21 71 23 999669589510016
# scanned=68214
# found=18
# cleaned=0
# scan_time=2726
C:\Documents and Settings\localuser\Application Data\pdinstall.exe a variant of Win32/Adware.PerfectDefender.G application 00000000000000000000000000000000 I
C:\Documents and Settings\localuser\Application Data\Gmail\Shell32.dll a variant of Win32/TrojanDownloader.FakeAlert.AHB trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2009-09-09_08.24.17.zip a variant of Win32/TrojanDownloader.FakeAlert.AFJ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\9dlvtiil.exe.vir Win32/PSW.OnLineGames.NNU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\autorun.inf.vir INF/Autorun virus 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmdfgds0.dll.vir Win32/PSW.OnLineGames.NMP trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\olhrwef.exe.vir Win32/PSW.OnLineGames.NNU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir a variant of Win32/Kryptik.AHK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0000007.sys Win32/PSW.OnLineGames.OKW trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0001006.dll a variant of Win32/TrojanDownloader.FakeAlert.AHB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002006.dll a variant of Win32/TrojanDownloader.FakeAlert.AHB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002007.dll Win32/PSW.OnLineGames.NMP trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002010.exe Win32/PSW.OnLineGames.NNU trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002011.inf INF/Autorun virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002120.exe a variant of Win32/Kryptik.AHK trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002121.exe Win32/PSW.OnLineGames.NNU trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002139.dll a variant of Win32/TrojanDownloader.FakeAlert.AHB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP1\A0002212.dll a variant of Win32/TrojanDownloader.FakeAlert.AHB trojan 00000000000000000000000000000000 I
Attached Files
File Type: txt ComboFix.txt (52.0 KB, 10 views)
__________________
adrobert is offline   Reply With Quote
Old 09-09-2009, 04:55 AM   #6
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.



Quote:
My computer appears to be operating normally and I can use my internet browser
Good.

ESET found malicious files in Qoobox. Qoobox is our tool quarantine folder.
So don't worry about it. It will get deleted when we uninstall Combofix. Those that are found in System Restore will be purge when COmbofix will be uninstalled too.

I need you to submit the other files that are found.Please continue with instruction below.
--------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/412089-win32-conflicker-c-problem.html#post2334403

COLLECT::
C:\Documents and Settings\localuser\Application Data\Gmail\Shell32.dll
C:\Documents and Settings\localuser\Application Data\pdinstall.exe
FILE::
c:\windows\Tasks\At2.job
c:\etc\daily\start-daily.bat
REGISTRY::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
DIRLOOK::
C:\Documents and Settings\localuser\Application Data\Gmail
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, it pops out with the CF log and this message box:



Clicking OK will begin the auto-upload of the zipped file.




-----------

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file.

*note
Ensure your AntiVirus and AntiSpyware applications are re-enabled.


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-09-2009, 02:12 PM   #7
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi Mark,

I submitted the file to Bleeping Computer. Attached is the combofix.txt file that you requested. Let me know what to do next.

Thank you again for the help
Attached Files
File Type: txt ComboFix.txt (42.2 KB, 4 views)
__________________
adrobert is offline   Reply With Quote
Old 09-09-2009, 03:49 PM   #8
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

Good.

Congratulations! You now appear clean!

We Need to Clean Up Our Mess
  1. Uninstall ComboFix
    Remove Combofix now that we're done with it.
    • Click on your Start Menu, then Run....
    • Now copy and paste this one in the runbox. Then HIT enter.

      Code:
      ComboFix /u


    Uninstalling ComboFix will do the following:
    1. Delete ComboFix and its components from your computer.
    2. Delete other tools commonly used during the malware removal process.
    3. Resets clock settings to standard format.
    4. Re-hides file extensions and hidden/system files.
    5. Clears System Restore cache and creates new restore point.

  2. Please also delete the DDS.scr located at your desktop.
-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.

  2. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file

  3. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  4. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  5. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.

  6. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Don't forget to enable all your security applications.
Please respond to this thread one more time so we can mark this thread as resolved.
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-10-2009, 12:15 PM   #9
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi Mark,

Thank you for all the help. I uninstalled combofix and deleted dds.scr. I then ran my virus scan and it found a virus called win32.KMG. F-secure told me that it could not remove this virus. Do you have any suggestions about how to remove this virus? Thanks again and please let me know if you can help me remove this other virus.
__________________
adrobert is offline   Reply With Quote
Old 09-10-2009, 04:02 PM   #10
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

Can you be more specific? What file is it?

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-11-2009, 08:56 AM   #11
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi again,

The file is located in the directory below. I think that it may be left over from some of the other stuff that was installed.

C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe Infection: Win32.KME

Can this just be deleted?

Thanks again for the help.
__________________
adrobert is offline   Reply With Quote
Old 09-11-2009, 09:23 AM   #12
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

That was false positive.

You can just uninstall it through add/remove programs at the control panel,

ESET online scanner v3

After that, delete this folder if it still exist.

C:\Program Files\ESET

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-11-2009, 12:01 PM   #13
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi Mark,

I tried uninstall EST online scanner; however, my computer told me that it had already been uninstalled. I then deleted the folder C:\Program Files\ESET. Unfortunately, F-secure found the file at the following location:

C:\System Volume Information\_restore{0C33177E-BB45-414D-AEF6-0F2CE9546E04}\RP2\A0000030.exe Infection: Win32.KME

F-secure cannot disinfect this "virus" but I can ask F-secure to delete this virus. Should I try that? or is there a better way.

Thanks again for the assistance.
__________________
adrobert is offline   Reply With Quote
Old 09-11-2009, 06:31 PM   #14
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

Yes you can delete it. The one that F-secure is seeing is the ESET file that was flagged before that was saved in your System restore point.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Old 09-12-2009, 06:16 AM   #15
Registered Member
 
Join Date: Sep 2009
Posts: 8
OS: Windows 2003



Hi Mark,

I deleted the file and F-secure did not find any viruses. My computer appears to be working normally. Thank you very much for all the help.
__________________
adrobert is offline   Reply With Quote
Old 09-12-2009, 08:43 AM   #16
TSF Enthusiast
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,477
OS: Vista, Linux Mint



hi.

Good to hear that.

Surf safely.

Mark

__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 04:14 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts