Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Spyware/Malware in my system..Please help me to remove.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 03-26-2009, 08:12 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Spyware/Malware in my system..Please help me to remove.
Hi
My system is running slow..lots of ads are poping up while browsing.I dont have admin rights on administrator login. spybot or any spy removal softwares are not starting. antivirus is not downloading any new updates.
Here is my DDS log.
please help me ..



DDS (Ver_09-02-01.01) - NTFSx86
Run by MeeluSchool at 20:43:01.76 on Thu 03/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.84 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\syrtem32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\rystem32\acs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\lcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Progral Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXD
C:\WINDOWS\system32\winver.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\CAM Development\CAM UnZip\cuz.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\MeeluSchool\Desktop\dds\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6172\SiteAdv.dll
BHO: {2beb2fb1-8910-44ef-a584-8a9a7ffb0241} - No File
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: DriveLetterAccess: {5ca3d70e,1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {762f914d-cb99-7148-42d4-da64e010f4e5}: {5e4f010e-46ad-4d24-8417-99bcd419f267} - c:\windows\system32\lwmiqt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progral files\mcafee\virusscan\scriptsn.dll
BHO: {8a8e7699-dfef-4e47-8673-f4701765cbb4} - c:\windows\system32\rugakeju.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\_helper.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisnr\6172\SiteAdv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: Zdagugosaze] Rundll32.exe "c:\windows\system32\riyudegi.dll",s
mRun: [CPM6359ad97] Rundll32.exe "c:\windows\system32\rilalelu.dll",a
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TrayComm] TrayComm.exe
mRun: [TPSMain] TPSMain.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TFncKy] TFncKy.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PadTouch] c:\program files\toshiba\touch and launch\P`dExe.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRtn: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Cobian Backup 9 interface] "c:\program files\cobian backup 9\cbInterface.exe" -service
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [606a9e0b] rundll32.exe "c:\windows\system32\deyaluhu.dll",b
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
ID: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp:/.download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Filter: text/html - {7f3cf8bc,9b12-4c28-bbd6-0e2233b0105b} - c:\windows\system32\mst122.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6172\SiteAdv.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\petolahu.dll lwmiqt.dll c:\windows\system32\rilalelu.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rilalelu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\rilalelu.dll
SecurityProviders: msapsspc.dll, sbhannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
LSA: Notification Packages = scecli c:\windows\system32\petolahu.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 213640]
R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-10-30 11264]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-11-4 126976]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-21 358224]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-3-21 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-21 79304]
R3 mfebopk;LcAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-21 35240]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe --> c:\progra~1\mcafee.com\agent\mcupdmgr.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;b:\windows\system32\drivers\mferkdk.sys [2009-3-21 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-21 40488]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-21 695624]

=============== Created Last 30 ================

2009-03-25 20:12 <DIR> --d----- c:\program files\Cobian Backup 9
2009-03-22 14:45 <DIR> --d----- c:\program files\HeavenWard
2009-03-22 09:02 <DIR> --d----- c:\windows\pss
2009-03-22 08:58 1,789,376 ---sh--- c:\windows\system32\uhulayed.ini
2009-03-22 08:58 122,880 a--sh--- c:\windows\system32\lwmiqt.dll
2009-03-21 15:46 7,931 a------- c:\windows\syrtem32\Config.MPF
2009-03-21 15:43 <DIR> --d----- c:\program files\SiteAdvisor
2009-03-21 15:43 <DIR> --d----- c:\docume~1\meelus~1\applic~1\SiteAdvisor
2009-03-21 15:42 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-21 15:39 40,488 a-------c:\windows\system32\drivers\mfesmfk.sys
2009-03-21 15:39 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-21 15:39 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-21 15:39 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-21 15:38 <DIR> --d----- c:\program files\common files\McAfee
2009-03-21 15:38 <DIR> --d----- c:\program files\McAfee
2009-03-21 14:54 122,880 a--sh--- c:\windows\system32\bxxdei.dll
2009-03-21 14:54 10,240 a------- c:\windows\instsp2.exe
2009-03-21 14:40 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 14:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-21 14:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-20 08:32 <DIR> --d----- c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-03-20 08:20 1,789,376 ---sh--- c:\windows\system32\etemitav.ini
2009-03-20 08:18 2,098 ---sh--- c:\windows\system32\feyimupa.dll
2009-03-20 08:18 122,880 a--sh--- c:\windows\system32\jdpald.dll
2009-03-20 08:15 80,896 -------- c:\windows\system32\vatimete.dll
2009-03-19 08:56 1,798,744 ---sh--- c:\windows\system32\arigijah.ini
2009-03-19 08:56 122,880 a--sh--- c:\windows\system32\mmtfuu.dll
2009-03-18 12:57 2 a------- c:\windows\msoffice.ini
2009-03-18 11:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-18 11:52 <DIR> --d----- c:\program files\common files\supportsoft
2009-03-18 07:57 1,798,734 ---sh--- c:\windows\system32\inezejes.ini
2009-03-18 07:46 123,382 a--sh--- c:\windows\system32\ahqjae.dll
2009-03-17 09:28 1,719,422 ---sh--- c:\windows\system32\ejolonun.ini
2009-03-17 08:30 80,896 a------- c:\windows\system32\nunoloje.dll
2009-03-17 08:27 122,880 a------- c:\windows\system32\feyuau.dll
2009-03-16 08:26 2,098 ---sh--- c:\windows\system32\baborefe.dll
2009-03-17 08:20 122,880 a------- c:\windows\system32\ligijowe.dll
2009-03-17 08:20 86,016 a------- c:\windows\system32\wotupogo.dll
2009-03-16 13:42 1,719,124 ---sh--- c:\windows\system32\uweyarow.ini
2009-03-16 13:39 122,880 a--sh--- c:\windows\system32\uldqpw.dll
2009-03-15 22:19 55,808 a------- c:\windows\system32\mcenspc.dll
2009-03-10 06:35 33,280 a------- c:\windows\svcho.exe
2009-03-10 06:35 33,280 a------- c:\windows\syssvc.exe
2009-03,09 18:45 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-08 18:37 9,728 a------- c:\windows\system32\iehelper.dll
2009-03-08 18:27 308,752 a------- c:\windows\sysguard.exe
2009-03-08 18:27 <DIR> --dsh--- c:\windows\system32\lowsec
2009-02-28 16:48<DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-03-22 08:58 80,896 a--sh--- c:\windows\system32\deyaluhu.dll
2009-03-22 08:58 86,016 a------- c:\windows\system32\rilalelu.dll
2009-03-22 08:58 122,880 a,-sh--- c:\windows\system32\zakupuju.dll
2009-03-21 14:54 122,880 a--sh--- c:\windows\system32\vagazodi.dll
2009-03-21 14:54 86,016 a--sh--- c:\windows\system32\yuweveyo.dll
2009-03-21 14:54 80,896 a--sh--- c:\windows\system32\wigudozi.dll
2009-03-20 08:18 122,880 a--sh--- c:\windows\system32\fijiveni.dll
2009-03-20 08:18 86,016 a--sh--- c:\windows\system32\gasowihu.dll.vir
2009-03-19 08:56 86,016 a--sh--- c:\windows\system32\guzuyavu.dll
2009-03-19 08:56 122,880 a--sh--- c:\windows\system32\piwinala.dll
2009-03-19 08:56 80,896 a--sh--- c:\windows\system32\hajigira.dll
2009-03-18 07:46 123,392 a--sh--- c:\windows\system32\nanenipu.dll
2009-03-18 07:46 86,528 a--sh--- c:\windows\system32\pohuzowo.dll
2009-03-16 13:39 122,880 a--sh--- c:\windows\system32\tadeyike.dll
2009-03-16 13:39 86,016 a--sh--- c:\windows\system32\haseneza.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\petolahu.dll
0000-00-00 00:00 48,640 a--sh--- c:\windows\system32\rugakeju.dll

============= FINISH: 20:44:52.53 ===============
Attached Files
File Type: txt DDS.txt (13.2 KB, 2 views)
File Type: txt Attach.txt (15.1 KB, 3 views)
Last edited by joshynotts; 03-26-2009 at 08:14 PM. Reason: title
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-28-2009, 08:40 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Hello -

As indicated in our pre-posting topic, we also require a log from GMER Rootkit Scanner.


Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-28-2009, 01:49 PM   #3 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Re: Spyware/Malware in my system..Please help me to remove.
Here is the GMER log file..
After GMER scan i'm getting more security warnings like "The application or DLL C:\Windows\system32\mcenspc.dll is not avalid windows image".
Many times no task bar and desktop icons.

please let me know the steps..
Thanks!!
Attached Files
File Type: txt Gmer.txt (27.3 KB, 2 views)
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-28-2009, 02:36 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Ok, good work, let's get to it.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. If you have any doubts, STOP and ask first, please.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------
  1. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3






    --------------------------------------------------------------------


    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  3. Double click on combo-fix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-29-2009, 01:40 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Re: Spyware/Malware in my system..Please help me to remove.
Here is my combofix log..
ComboFix 09-03-28.06 - MeeluSchool 2009-03-29 14:09:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.0033.18.446.129 [GMT -5:00]
Running from: c:\documents and settings\MeeluSchool\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qlgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common\_helper.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\svcho.exe
c:\windows\sysguard.exd
c:\windows\syssvc.exe
c:\windows\system32\ahqjae.dll
c:\windows\system32\arigijah.ini
c:\windows\system32\bxxdei.dll
c:\windows\system32\deyaluhu.dll
c:\windows\system32\drivers\UACswwapkil.sys
c:\windows\system32\ejolonun.ini
c:\windows\system32\etemitav.ini
c:\windows\system32\feyuau.dll
c:\windows\system32\fijiveni.dll
c:\windows\system32\gasowihu.dll.vir
c:\windows\system32\guzuyavu.dll
c:\windows\system32\hajigira.dll
c:\windows\system32\haseneza.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\inezejes.ini
c:\windows\system32\jdpald.dll
c:\windows\system32\ligijowe.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\systel32\lwmiqt.dll
c:\windows\system32\mcenspc.dll
c:\windows\system32\mmtfuu.dll
c:\windows\system32\nanenipu.dll
c:\windows\system32\nunoloje.dll
c:\windows\system32\petolahu.dll
c:\windows\system32\piwinala.dll
c:\windows\system32\pohuzowo.dll
c:\windows\system32\rilalelu.dll
c:\windows\system32\rugakeju.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\tadeyike.dll
c:\windows\system32\UACacftyxvk.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACllovmecu.dat
c:\windows\system32\TAClyaniqma.dll
c:\windows\system32\UACmepxgsjk.dll
c:\windows\system32\UACnricklfg.log
c:\windows\system32\UACtjnprpix.log
c:\windows\system32\UACtqlhtcbh.dll
c:\windows\system32\UACuimcakte.log
c:\windows\system32\uhulayed.ini
c:\windows\system32\tldqpw.dll
c:\windows\system32\uweyarow.ini
c:\windows\system32\vagazodi.dll
c:\windows\system32\vatimete.dll
c:\windows\system32\wigudozi.dll
c:\windows\system32\wotupogo.dll
c:\windows\system32\yuweveyo.dll
c:\windows\system32\zakupuju.dll

----, BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 13:48 . 2009-03-28 13:48 <DIR> d-------- c:\documents and settings\JeenuSchool\Application Data\SiteAdvisor
2009-03-26 07:14 . 2009-03-29 14:06 <DIR> d-------- c:\windows\systel32\config\systemprofile\Application Data\SiteAdvisor
2009-03-25 20:12 . 2009-03-25 21:24 <DIR> d-------- c:\program files\Cobian Backup 9
2009-03-22 14:45 . 2009-03-22 14:45 <DIR> d-------- c:\program files\HeavenWard
2009-03-22 09:39 . 2005-11-04 22:24 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-22 09:39 . 2005-11-04 23:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-03-22 09:39 . 2005-11-04 22:39 <DIR> d----,--- c:\documents and settings\Administrator\Application Data\toshiba
2009-03-22 09:39 . 2005-11-04 23:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-22 09:39 . 2005-11-29 17:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2009-03-22 09:39 . 2009-03-18 12:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-03-22 09:39 . 2009-03-22 09:39 <DIR> d-------- c:\documents and settings\Administrator
2008-03-21 21:16 . 2009-03-22 08:58 <DIR> d-------- c:\documents and settings\Dad\Application Data\SiteAdvisor
2009-03-21 15:46 . 2009-03-29 14:29 8,059 --a------ c:\windows\system32\Config.MPF
2009-03-21 15:43 . 2009-03-21 17:37 <DIR> d-------- c:\program files\SiteAdvisor
2009-03-21 15:43 . 2009-03-26 07:14 <DIR> d-------- c:\documents and settings\MeeluSchool\Application Data\SiteAdvisor
2009-03-21 15:43 . 2009-03-22 08:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SiteAdvisnr
2009-03-21 15:43 . 2009-03-21 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-03-21 15:42 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-03-21 15:39 . 2007-07-13 06:20 113,952 --`------ c:\windows\system32\drivers\Mpfp.sys
2009-03-21 15:39 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-21 15:39 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-21 15:39 . 2006-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-21 15:38 . 2009-03-21 21:21 <DIR> d-------- c:\program files\McAfee
2009-03-21 15:38 . 2009-03-21 15:39 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-21 14:54 . 2009-03-21 14:54 10,240 --a------ c:\windows\instsp2.exe
2009-03-21 14:40 . 2009-01-09 12:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-21 14:05 . 2009-03-25 07:20 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-21 14:05 . 2009-03-25 07:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-20 08:32 . 2009-03-20 08:32 <DIR> d-------- c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-03-20 08:18 . 2009-03-20 08:18 2,098 ---hs---- c:\windows\system32\feyimupa.dll
2009-03-18 15:21 . 2009-03-18 15:21 <DIR> d-------- c:\documents and settings\JeenuSchool\Application Data\MSNInstaller
2009-03-18 12:57 . 2009-03-18 12:57 2 --a------ c:\windows\msoffice.ini
2009-03-18 11:55 . 2009-03-18 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-18 11:52 . 2009-03-18 11:59 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-03-18 11:51 . 2009-03-18 12:03 <DIR> d-,------ c:\documents and settings\Dad\Application Data\U3
2009-03-17 08:26 . 2009-03-17 08:26 2,098 ---hs---- c:\windows\system32\baborefe.dll
2009-03-10 09:48 . 2009-03-10 09:48 <DIR> d-------- c:\documents and settings\JeenuSchool\Application Data\Smith Micro
2009-03-09 18:45 . 2009-03-09 18:45 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-09 07:45 . 2009-03-21 15:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find2M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 19:31 1,240,401 ----a-w c:\windows\system32\drivers\RemoveAny.log
2009-03-29 19:11 --------- d-----w c:\program files\Common
2009-03-22 20:38 --------- d-----w c:\program filds\Google
2009-03-20 13:33 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-19 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-19 14:05 --------- d-----w c:\program filer\TOSHIBA
2009-03-19 13:19 --------- d-----w c:\program files\Unity
2009-03-18 20:30 --------- d-----w c:\documents and settings\JeenuSchool\Application Data\toshiba
2009-03-18 20:28 --------- d-----w c:\program files\Sonic
2009-03-18 20:21 --------- d,----w c:\program files\Canon
2009-03-18 20:18 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-18 19:17 --------- d-----w c:\prngram files\Yahoo!
2009-03-18 19:16 --------- d-----w c:\program files\Quicken
2009-03-18 18:02 --------- d-----w c:\program files\Pure Networks
2009-03-18 18:02 --------- d-----w c:\program files\Common Files\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\Mom\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\MeeluSchool\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\JeenuSchool\Application Data\AOL
2009-03-18 17:59 ,-------- d-----w c:\documents and settings\Ignite\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\Dad\Application Data\AOL
2009-03-10 03:36 --------- d-----w c:\program files\McAfee.com
2009-02-27 00:57 --------- d----,w c:\documents and settings\JeenuSchool\Application Data\Canon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-04 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-04 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"McENUI"="c:\progra~1\LcAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-06-15 20480]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"TrayComm"="TrayComm.exe" [2004-05-21 c:\windows\TrayComm.exe]
"TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-10-07 1738032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-04 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOBAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\securhty center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthnrizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Applet\\TAPPSRV.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-10-30 11264]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-04-19 99200]
.
Contentr of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2beb2fb1-8910-44ef-a584-8a9a7ffb0241} - (no file)
BHO-{5e4f010e-46ad-4d24-8417-99bcd419f267} - c:\windows\system32\lwmiqt.dll
BHO-{8a8e7699-dfef-4e47-8673-f4701765cbb4} - c:\windows\system32\rugakeju.dll
BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Common\_helper.dll
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-dagugosaze - c:\whndows\system32\riyudegi.dll
HKLM-Run-Cobian Backup 9 interface - c:\program files\Cobian Backup 9\cbInterface.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rilalelu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
.

**************************************************************************

catchme 0.3.1367 V2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 14:30:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\SiteAdvisor\6172\SAService.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
b:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-29 14:33:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 19:33:11

Pre-Run: 45,794,488,320 bytes free
Post-Run: 46,979,661,824 bytes free

275 --- E O F --- 2009-03-11 12:58:54
Attached Files
File Type: txt ComboFix.txt (15.9 KB, 0 views)
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-29-2009, 02:47 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Hello -

Was there a problem installing the Recovery Console? Did you receive any error messages?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-29-2009, 05:30 PM   #7 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Re: Spyware/Malware in my system..Please help me to remove.
Hi
I followed the steps...
I got couple of RunDll errror messages.I click OK on those messages and it's only available option on those messages.
Thanks!
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-29-2009, 06:51 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Let's try this again. Ensure you have an active internet connection while running ComboFix, and allow it to download and install the Windows Recovery Console as part of it's routine, as outlined in my initial post.
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/360444-spyware-malware-my-system-please-help-me-remove-post2051029.html#post2051029

    File::
    c:\windows\system32\feyimupa.dll
    c:\windows\system32\baborefe.dll

    Registry::
    [HKEY_LOBAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\securhty center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    Collect::
    c:\windows\instsp2.exe
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. Follow the prompts.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-29-2009, 09:39 PM   #9 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Re: Spyware/Malware in my system..Please help me to remove.
Here is the new log file..

ComboFix 09-03-28.06 - MeeluSchool 2009-03-29 22:31:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.115 [GMT -5:00]
Running from: c:\documents and settings\MeeluSchool\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\MeeluSchool\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\baborefe.dll
c:\windows\system32\feyimupa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\instsp2.exe
c:\windows\system32\baborefe.dll
c:\windows\system32\feyimupa.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 18:56 . 2009-03-29 18:57 <DIR> d-------- c:\windows\LastGood
2009-03-29 18:44 . 2009-03-29 18:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-29 18:44 . 2009-03-29 18:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-29 18:43 . 2009-03-29 18:43 <DIR> d-------- c:\program files\Java
2009-03-29 18:23 . 2009-03-29 18:23 <DIR> d-------- c:\program files\CCleaner
2009-03-28 13:48 . 2009-03-28 13:48 <DIR> d-------- c:\documents and settings\JeenuSchool\Application Data\SiteAdvisor
2009-03-26 07:14 . 2009-03-29 14:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-03-25 20:12 . 2009-03-25 21:24 <DIR> d-------- c:\program files\Cobian Backup 9
2009-03-22 09:39 . 2005-11-04 22:25 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-03-22 09:39 . 2005-11-04 23:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-03-22 09:39 . 2005-11-04 22:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-03-22 09:39 . 2005-11-04 23:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-03-22 09:39 . 2005-11-29 17:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2009-03-22 09:39 . 2009-03-18 12:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-03-22 09:39 . 2009-03-22 09:39 <DIR> d-------- c:\documents and settings\Administrator
2009-03-21 21:16 . 2009-03-22 08:58 <DIR> d-------- c:\documents and settings\Dad\Application Data\SiteAdvisor
2009-03-21 15:46 . 2009-03-29 18:41 8,523 --a------ c:\windows\system32\Config.MPF
2009-03-21 15:43 . 2009-03-21 17:37 <DIR> d-------- c:\program files\SiteAdvisor
2009-03-21 15:43 . 2009-03-26 07:14 <DIR> d-------- c:\documents and settings\MeeluSchool\Application Data\SiteAdvisor
2009-03-21 15:43 . 2009-03-22 08:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2009-03-21 15:43 . 2009-03-21 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-03-21 15:42 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-03-21 15:39 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-21 15:39 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-21 15:39 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-21 15:39 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-21 15:38 . 2009-03-29 18:56 <DIR> d-------- c:\program files\McAfee
2009-03-21 15:38 . 2009-03-21 15:39 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-21 14:40 . 2009-01-09 12:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-21 14:05 . 2009-03-29 16:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-21 14:05 . 2009-03-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-20 08:32 . 2009-03-20 08:32 <DIR> d-------- c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-03-18 15:21 . 2009-03-18 15:21 <DIR> d-------- c:\documents and settings\JeenuSchool\Application Data\MSNInstaller
2009-03-18 12:57 . 2009-03-18 12:57 2 --a------ c:\windows\msoffice.ini
2009-03-18 11:55 . 2009-03-18 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-18 11:52 . 2009-03-18 11:59 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-03-18 11:51 . 2009-03-18 12:03 <DIR> d-------- c:\documents and settings\Dad\Application Data\U3
2009-03-10 09:48 . 2009-03-10 09:48 <DIR> d-------- c:\documents and settings\JeenuSchool\Application Data\Smith Micro
2009-03-09 18:45 . 2009-03-29 18:34 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-09 07:45 . 2009-03-21 15:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-28 16:48 . 2009-03-29 14:11 <DIR> d-------- c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 03:34 6,735,580 ----a-w c:\windows\system32\drivers\RemoveAny.log
2009-03-22 20:38 --------- d-----w c:\program files\Google
2009-03-20 13:33 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-19 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-19 14:05 --------- d-----w c:\program files\TOSHIBA
2009-03-19 13:19 --------- d-----w c:\program files\Unity
2009-03-18 20:30 --------- d-----w c:\documents and settings\JeenuSchool\Application Data\toshiba
2009-03-18 20:28 --------- d-----w c:\program files\Sonic
2009-03-18 20:21 --------- d-----w c:\program files\Canon
2009-03-18 20:18 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-18 19:17 --------- d-----w c:\program files\Yahoo!
2009-03-18 19:16 --------- d-----w c:\program files\Quicken
2009-03-18 18:02 --------- d-----w c:\program files\Pure Networks
2009-03-18 18:02 --------- d-----w c:\program files\Common Files\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\Mom\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\MeeluSchool\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\JeenuSchool\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\Ignite\Application Data\AOL
2009-03-18 17:59 --------- d-----w c:\documents and settings\Dad\Application Data\AOL
2009-03-10 03:36 --------- d-----w c:\program files\McAfee.com
2009-02-27 00:57 --------- d-----w c:\documents and settings\JeenuSchool\Application Data\Canon
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2008-12-05 07:12 144,896 ----a-w c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_14.32.22.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-29 19:12:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-29 21:29:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-29 19:12:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-29 21:29:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-09 17:03:40 213,640 ----a-w c:\windows\system32\drivers\mfehidk.sys
+ 2007-11-22 11:44:08 201,320 ----a-w c:\windows\system32\drivers\mfehidk.sys
+ 2009-03-29 23:43:58 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-03-29 23:43:58 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-29 23:43:59 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-29 23:44:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_134.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-04 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-04 98304]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-06-15 20480]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"TrayComm"="TrayComm.exe" [2004-05-21 c:\windows\TrayComm.exe]
"TPSMain"="TPSMain.exe" [2005-06-01 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 c:\windows\agrsmmsg.exe]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-10-07 1738032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-04 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Applet\\TAPPSRV.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-10-30 11264]
S2 0015971238371041mcinstcleanup;McAfee Application Installer Cleanup (0015971238371041);c:\windows\TEMP\001597~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\001597~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-04-19 99200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 22:33:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(2824)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2009-03-29 22:35:31
ComboFix-quarantined-files.txt 2009-03-30 03:35:20
ComboFix2.txt 2009-03-29 19:33:32

Pre-Run: 46,722,248,704 bytes free
Post-Run: 46,780,280,832 bytes free

199 --- E O F --- 2009-03-11 12:58:54
Attached Files
File Type: txt ComboFix.txt (13.5 KB, 0 views)
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-29-2009, 09:53 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Looking much better.

Please perform this online scan to help look for remnants. This scan requires SunJava to run.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

---------------------------------------------------------------------------------------------


Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2009, 08:31 AM   #11 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Re: Spyware/Malware in my system..Please help me to remove.
Now the system is performing far better!! No pop ups ..No messages..No unwanted dlls on start up services. Thanks a lot for your time and effort. I'm really appreciate it.
Heres the Kaspersky report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 29, 2009 22:17:16
Records in database: 1979613
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 67836
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:19:55


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkljnsrvk.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnkrodulk.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqmppgfqj.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACsrddrjxd.dll.vir Infected: Trojan.Win32.Tdss.ror 1

The selected area was scanned
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2009, 08:49 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Great, glad to hear it.

The items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2009, 02:46 PM   #13 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 8
OS: Win XP Home sp2


Re: Spyware/Malware in my system..Please help me to remove.
Thank You very much!! Everything works good...Ill do the protection steps as well for the future.Awesome guys..Really fast response..Thanks!!
joshynotts is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-30-2009, 04:55 PM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,704
OS: 2000 Pro; XP Pro; XP Home


Re: Spyware/Malware in my system..Please help me to remove.
Glad to help.

Surf Safely, and Think Prevention!! The internet's a jungle.

Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:23 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85