Ron tool netupbanner infection, cont.

[twobsolo]

I was caught up in dead week and couldn't get back to my computer. I apologise. Here is the link to the original thread.

http://www.techsupportforum.com/secu...ml#post1839132

I ran combofix and attached the log file.

Thank you for your time and help,

David

ComboFix 08-12-05.01 - Owner 2008-12-05 12:05:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.791 [GMT -8:00]
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\gadcom
c:\documents and settings\Owner\Application Data\IUpd721
c:\documents and settings\Owner\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Owner\Application Data\NI.GSCNS
c:\documents and settings\Owner\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Owner\Application Data\NI.GSCNS\settings.ini
c:\windows\IA
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\TDSSmxoe.sys
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\MSVolume.dll
c:\windows\system32\r2
c:\windows\system32\TDSScfub.log
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSktpa.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.log
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\TDSSpqxt.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\X5
c:\windows\Tasks\xrwwdsmq.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 14:06 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 14:06 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 14:04 . 2008-11-28 14:04 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 10:19 . 2008-11-28 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 10:10 . 2008-11-28 10:11 <DIR> d-------- C:\095656869fa05163197b
2008-11-24 18:48 . 2008-11-24 18:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 14:31 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:31 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 17:28 . 2008-11-28 10:47 <DIR> d-------- c:\program files\AdwarePro
2008-11-09 10:37 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-09 10:36 . 2008-04-13 17:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-09 10:36 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-09 10:36 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-06 22:31 . 2008-11-06 22:31 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-06 22:26 . 2008-11-09 12:12 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-06 22:26 . 2008-11-06 22:26 63,488 --a------ c:\windows\system32\rgv.xl
2008-11-06 22:26 . 2008-11-06 22:26 32,768 --a------ c:\windows\system32\fes.ra
2008-11-06 22:26 . 2008-11-06 22:26 32,768 --a------ c:\windows\system32\fe.sp
2008-11-06 22:26 . 2008-11-06 22:26 28,672 --a------ c:\windows\system32\def.help
2008-11-06 22:26 . 2008-11-06 22:26 28,672 --a------ c:\windows\system32\ceg.sdr
2008-11-06 22:26 . 2008-11-06 22:26 20,480 --a------ C:\pqggin.exe
2008-11-06 22:26 . 2008-11-06 22:26 7,680 --a------ C:\sydp.exe
2008-11-06 22:25 . 2008-11-06 22:25 <DIR> d-------- c:\windows\system32\vm
2008-11-06 22:25 . 2008-11-09 12:13 <DIR> d-------- c:\windows\system32\QI19
2008-11-06 22:25 . 2008-11-06 22:25 <DIR> d-------- c:\windows\system32\ert
2008-11-06 22:25 . 2008-11-06 22:26 <DIR> d-------- c:\windows\system32\bb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 22:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 18:54 --------- d-----w c:\program files\Google
2008-11-28 18:53 --------- d--h--r c:\documents and settings\Owner\Application Data\yahoo!
2008-11-28 18:53 --------- d-----w c:\program files\Yahoo!
2008-11-28 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-28 18:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 18:52 --------- d-----w c:\program files\epson
2008-11-25 06:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-25 02:48 --------- d-----w c:\program files\Java
2008-11-09 20:58 --------- d-----w c:\program files\support.com
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 04:26 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-10-09 02:15 --------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2006-04-18 04:30 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2005-01-29 03:20 0 --sha-w c:\windows\SMINST\HPCD.sys
2007-07-02 23:13 5 --sha-w c:\windows\system32\cafbdbbee_s.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2005-01-28 172032]
Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2005-01-28 217088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 15:18 135168 c:\program files\eMachines Bay Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Automatic LiveUpdate Scheduler"=2 (0x2)
"gusvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"PrismXL"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-01-28 12964]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2007-11-11 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2005-01-29 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 16:12]

2008-12-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-AdwareProMFCT - c:\program files\AdwarePro\AdwarePro.exe
Notify-MRI_DISABLED - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://webmail.peacehealth.org/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

- c:\windows\Downloaded Program Files\RhapX.inf
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vemimigj.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 12:09:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Wireless Device\Wireless Keyboard\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-05 12:10:33 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-12-05 20:10:30

Pre-Run: 143,545,372,672 bytes free
Post-Run: 143,465,824,256 bytes free

192 --- E O F --- 2008-11-28 18:11:18

[tetonbob]

OK, let's see if we can clear this up this time.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/320537-ron-tool-netupbanner-infection-cont.html#post1840115
   
   Folder::
   c:\windows\system32\vm
   c:\windows\system32\QI19
   c:\windows\system32\ert
   c:\windows\system32\bb
   
   
   Collect::
   c:\windows\system32\rgv.xl
   c:\windows\system32\fes.ra
   c:\windows\system32\fe.sp
   c:\windows\system32\def.help
   c:\windows\system32\ceg.sdr
   C:\pqggin.exe
   C:\sydp.exe
   
   DirLook::
   C:\095656869fa05163197b
   
   FileLook::
   c:\windows\system32\dllcache\user32.dll
   
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   

[twobsolo]

I ran the script and attached the log.

ComboFix 08-12-05.01 - Owner 2008-12-08 10:50:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.729 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\CFix.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pqggin.exe
C:\sydp.exe
c:\windows\system32\bb
c:\windows\system32\ceg.sdr
c:\windows\system32\def.help
c:\windows\system32\ert
c:\windows\system32\ert\VEM8O23.exe
c:\windows\system32\fe.sp
c:\windows\system32\fes.ra
c:\windows\system32\QI19
c:\windows\system32\rgv.xl
c:\windows\system32\vm
c:\windows\system32\vm\ben2tali.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 14:06 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 14:06 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 14:04 . 2008-11-28 14:04 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 10:19 . 2008-11-28 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 10:10 . 2008-11-28 10:11 <DIR> d-------- C:\095656869fa05163197b
2008-11-24 18:48 . 2008-11-24 18:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 14:31 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:31 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 17:28 . 2008-11-28 10:47 <DIR> d-------- c:\program files\AdwarePro
2008-11-09 10:37 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-09 10:36 . 2008-04-13 17:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-09 10:36 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-09 10:36 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 22:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 18:54 --------- d-----w c:\program files\Google
2008-11-28 18:53 --------- d--h--r c:\documents and settings\Owner\Application Data\yahoo!
2008-11-28 18:53 --------- d-----w c:\program files\Yahoo!
2008-11-28 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-28 18:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 18:52 --------- d-----w c:\program files\epson
2008-11-25 06:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-25 02:48 --------- d-----w c:\program files\Java
2008-11-09 20:58 --------- d-----w c:\program files\support.com
2008-11-07 06:31 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 04:26 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-10-09 02:15 --------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2006-04-18 04:30 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2005-01-29 03:20 0 --sha-w c:\windows\SMINST\HPCD.sys
2007-07-02 23:13 5 --sha-w c:\windows\system32\cafbdbbee_s.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\system32\dllcache\user32.dll ----
Company: Microsoft Corporation
File Description: Windows XP USER API Client DLL
File Version: 5.1.2600.5512 (xpsp.080413-2105)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: user32
MD5: b26b135ff1b9f60c9388b4a7d16f600b

---- Directory of C:\095656869fa05163197b ----

2008-11-28 10:11 35 --a------ c:\095656869fa05163197b\update\update.log


((((((((((((((((((((((((((((( snapshot@2008-12-05_12.10.08.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 18:52:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2005-01-28 172032]
Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2005-01-28 217088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 15:18 135168 c:\program files\eMachines Bay Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Automatic LiveUpdate Scheduler"=2 (0x2)
"gusvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"PrismXL"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-01-28 12964]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2007-11-11 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2005-01-29 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 16:12]

2008-12-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://webmail.peacehealth.org/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

- c:\windows\Downloaded Program Files\RhapX.inf
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vemimigj.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 10:53:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Wireless Device\Wireless Keyboard\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-08 10:54:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 18:54:36
ComboFix2.txt 2008-12-05 20:10:34

Pre-Run: 143,369,195,520 bytes free
Post-Run: 143,355,146,240 bytes free

179 --- E O F --- 2008-11-28 18:11:18

[tetonbob]

Hi, I don't see that this part took place:

Quote:

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

So...please do this next...

ComboFix has generated a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip

Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4, and include a link to this topic.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?

[twobsolo]

Posted the scan results and ran the Kaspersky scanner. The results are attached. The computer seems to be running fine, at least better than it was.

Thank you for your help,

David

[tetonbob]

Thanks for uploading the file.

The items by Kasperksky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[twobsolo]

Thank you for all your help.

David

[tetonbob]

You're quite welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.