Please help remove overclick.cn

[presser]

Hi, I have a spyware that is re-directing me from Google, Yahoo, MSN ect. Please help. Here is my logs


DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 16:46:39.90 on Fri 07/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1383 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
svchost
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\1L52UQ3K\dds[1].scr
C:\Program Files\Messenger\msmsgs.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4322A444-92F8-4C3E-BD4C-013BA51E2871} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Download by VersalSoft Internet Download - c:\program files\versalsoft\internetdownload\adddownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/oneclickfix/tgctlsr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://www.fultoncourtrecords.com:7778/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://fdl.msn.com/public/chat/msnchat45.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-15 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-15 38208]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-3-15 160792]
R1 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-6 1251720]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-3-30 1181040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-8 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090731.004\NAVENG.Sys [2009-7-31 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090731.004\NavEx15.Sys [2009-7-31 875728]
RUnknown oodbvd;oodbvd; [x]
S2 bgttvqztrvjupzl;bgttvqztrvjupzl;\??\c:\windows\system32\drivers\ponnwl.sys --> c:\windows\system32\drivers\ponnwl.sys [?]
S2 xlwzfptw;xlwzfptw; [x]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-3-12 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-3-12 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-3-12 81288]
S3 SAVScan;Symantec AVScan;c:\program files\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-12 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-12 1079176]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-15 33088]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 UltraCrypt;UltraCrypt;\??\c:\program files\ultraleecher_usenet\ultracrypt.sys --> c:\program files\ultraleecher_usenet\UltraCrypt.sys [?]

=============== Created Last 30 ================

2009-07-28 15:10 <DIR> --d----- c:\program files\New Product
2009-07-23 11:31 389,120 a------- c:\windows\system32\CF27294.exe
2009-07-23 11:31 389,120 a------- c:\windows\system32\CF26696.exe
2009-07-23 11:25 389,120 a------- c:\windows\system32\CF25592.exe
2009-07-22 14:30 19,759 a------- c:\windows\paxixam.com
2009-07-22 14:30 19,111 a------- c:\windows\nyxaxa.bat
2009-07-22 14:30 17,279 a------- c:\program files\common files\citanikeva.dat
2009-07-22 14:30 17,206 a------- c:\windows\eboner.dat
2009-07-22 14:30 12,604 a------- c:\windows\pusyza.bin
2009-07-22 14:30 11,602 a------- c:\program files\common files\afuca.bin
2009-07-22 11:06 <DIR> --d----- C:\divx
2009-07-20 16:50 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-13 13:03 <DIR> --d----- c:\program files\sFX
2009-07-09 11:13 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Messenger

==================== Find3M ====================

2009-07-31 16:09 43,642 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-07-22 14:30 14,501 a------- c:\program files\common files\kiteg.lib
2009-07-22 14:30 11,767 a------- c:\program files\common files\luwere._dl
2009-07-22 14:07 3,532 a------- C:\drmHeader.bin
2009-07-20 16:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 13:32 4,012,051 a------- c:\windows\system32\alt.binaries.pictures.erotica.breast.small.exe
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-02-21 17:41 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-02-21 17:41 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2008-01-08 11:00 56,912 a------- c:\documents and settings\hp_administrator\g2mdlhlpx.exe

============= FINISH: 16:48:12.00 ===============

[presser]

Please help me with this - am I not posting this right?

[mas_pogi]

hi.

Sorry for the delay. Forum is quite busy.

Welcome to TSF once again.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe
------------------------------------------------------------------------

Seems you ran combofix a couple of times already.

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

-------------------------------------------------------------------------
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

-----------------------------------------------------------------------
I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

----------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

If you have any copy of Combofix.exe. Please delete it.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  
• Double click on Combo-Fix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

[presser]

Thank you for getting back to me - I think I have something bad. Here is my comb-fix log. Hope I posted or attached it correctly. Thanks again

ComboFix 09-08-01.02 - HP_Administrator 08/01/2009 18:34.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1636 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: Norton AntiVirus 2006 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\sFX
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\recycler\S-1-5-21-7038597762-8798083164-280040383-9618
c:\windows\Installer\1b36aeb.msi
c:\windows\rgmonsvc.exe
c:\windows\run.log
c:\windows\system32\drivers\hjgruicplgrknm.sys
c:\windows\system32\drivers\UACyrndoulh.sys
c:\windows\system32\hjgruihjatkqch.dll
c:\windows\system32\hjgruiltoutlnv.dll
c:\windows\system32\hjgruitackytqc.dat
c:\windows\system32\hjgruiwnuqfahq.dat
c:\windows\system32\UACyqmehewx.dll
c:\windows\system32\wbem\proquota.exe
C:\xcrashdump.dat
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiojxuktvp
-------\Service_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 22:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-01 22:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-28 19:10 . 2009-07-28 19:10 -------- d-----w- c:\program files\New Product
2009-07-22 18:30 . 2009-07-22 18:30 19759 ----a-w- c:\windows\paxixam.com
2009-07-22 18:30 . 2009-07-22 18:30 19111 ----a-w- c:\windows\nyxaxa.bat
2009-07-22 18:30 . 2009-07-22 18:30 17358 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ivigyq.reg
2009-07-22 18:30 . 2009-07-22 18:30 17279 ----a-w- c:\program files\Common Files\citanikeva.dat
2009-07-22 18:30 . 2009-07-22 18:30 17206 ----a-w- c:\windows\eboner.dat
2009-07-22 18:30 . 2009-07-22 18:30 14876 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ovamega.bin
2009-07-22 18:30 . 2009-07-22 18:30 12604 ----a-w- c:\windows\pusyza.bin
2009-07-22 18:30 . 2009-07-22 18:30 11602 ----a-w- c:\program files\Common Files\afuca.bin
2009-07-22 18:30 . 2009-07-22 18:30 11073 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\xikix.sys
2009-07-22 18:30 . 2009-07-22 18:30 10350 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\mykyvymofu.bat
2009-07-22 15:06 . 2009-07-22 15:06 -------- d-----w- C:\divx
2009-07-20 20:45 . 2009-07-20 20:47 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-09 15:13 . 2009-07-09 16:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 20:22 . 2008-02-13 14:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-07-31 20:09 . 2006-05-06 17:57 43642 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-07-31 18:36 . 2008-09-19 13:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-31 18:05 . 2009-06-15 17:45 37472 ----a-w- c:\windows\Fonts\INFOview.fon\infoview.fon
2009-07-31 18:05 . 2009-06-15 17:45 -------- d-----w- c:\windows\Fonts\INFOview.fon
2009-07-31 12:17 . 2006-02-13 18:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-28 15:32 . 2006-05-06 20:31 -------- d-----w- c:\program files\MYIE2
2009-07-22 18:30 . 2009-07-22 18:30 14501 ----a-w- c:\program files\Common Files\kiteg.lib
2009-07-22 18:30 . 2009-07-22 18:30 11767 ----a-w- c:\program files\Common Files\luwere._dl
2009-07-22 18:21 . 2008-08-20 14:20 -------- d-----w- c:\program files\DivX
2009-07-22 18:07 . 2008-08-26 14:55 3532 ----a-w- C:\drmHeader.bin
2009-07-21 19:24 . 2009-03-17 17:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-20 21:31 . 2009-03-14 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-20 21:30 . 2009-06-24 13:09 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-20 20:50 . 2009-02-01 19:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 15:23 . 2008-08-16 12:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 15:22 . 2008-08-16 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 17:36 . 2009-06-08 17:13 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-06-08 17:13 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 20:52 . 2008-02-13 14:46 -------- d-----w- c:\program files\LimeWire
2009-06-25 19:36 . 2008-09-07 22:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPAppData
2009-06-05 12:47 . 2009-05-05 20:48 -------- d-----w- c:\program files\WhiteCanyon
2009-06-04 12:54 . 2009-03-12 13:20 164 ----a-w- c:\windows\install.dat
2009-06-03 19:09 . 2009-06-03 19:09 33 ----a-w- c:\documents and settings\All Users\Application Data\16369064\16369064.exe
2009-06-03 19:09 . 2009-06-03 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\96379056
2009-06-03 19:09 . 2009-06-03 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\16369064
2009-05-07 15:32 . 2004-08-09 21:00 345600 ------w- c:\windows\system32\localspl.dll
2006-09-01 13:53 . 2006-09-01 13:53 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-20 148888]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-04-06 6345840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^hp_administrator^start menu^programs^startup^fmnupd32.exe]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\fmnupd32.exe
backup=c:\windows\pss\fmnupd32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KService"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"47435:TCP"= 47435:TCP:limewire
"35979:TCP"= 35979:TCP:frostwire
"47436:TCP"= 47436:TCP:limewire
"35946:TCP"= 35946:TCP:limewire
"8085:TCP"= 8085:TCP:sfx

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/16/2009 1:28 PM 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/25/2009 3:24 PM 29808]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/15/2009 8:24 AM 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/15/2009 8:24 AM 38208]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [3/15/2009 10:51 AM 160792]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [3/30/2009 4:18 PM 1181040]
S2 bgttvqztrvjupzl;bgttvqztrvjupzl;\??\c:\windows\system32\drivers\ponnwl.sys --> c:\windows\system32\drivers\ponnwl.sys [?]
S2 xlwzfptw;xlwzfptw; [x]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/12/2009 11:20 AM 356920]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/15/2009 8:24 AM 33088]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 UltraCrypt;UltraCrypt;\??\c:\program files\UltraLeecher_USENET\UltraCrypt.sys --> c:\program files\UltraLeecher_USENET\UltraCrypt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-01 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-09-24 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
IE: Download by VersalSoft Internet Download - c:\program files\VersalSoft\InternetDownload\adddownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://www.fultoncourtrecords.com:7778/forms/jinitiator/jinit.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(920)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(296)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\WhiteCanyon\SecureClean 4\SCWatch4.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
c:\program files\Webroot\WebrootSecurity\SSU.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-08-01 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 23:06

Pre-Run: 202,881,404,928 bytes free
Post-Run: 203,130,892,288 bytes free

246 --- E O F --- 2009-06-11 03:03

[mas_pogi]

hi.

Lets continue..

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/400444-please-help-remove-overclick-cn.html#post2270918

COLLECT::
c:\windows\paxixam.com
c:\windows\nyxaxa.bat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ivigyq.reg
c:\program files\Common Files\citanikeva.dat
c:\windows\eboner.dat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\ovamega.bin
c:\windows\pusyza.bin
c:\program files\Common Files\afuca.bin
c:\documents and settings\HP_Administrator\Local Settings\Application Data\xikix.sys
c:\documents and settings\HP_Administrator\Local Settings\Application Data\mykyvymofu.bat
c:\program files\Common Files\kiteg.lib
c:\windows\system32\drivers\ponnwl.sys

FILE::
c:\program files\Common Files\luwere._dl
c:\windows\pss\fmnupd32.exeStartup
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\fmnupd32.exe

FILELOOK::
c:\documents and settings\All Users\Application Data\16369064\16369064.exe

DIRLOOK::
c:\documents and settings\All Users\Application Data\96379056
c:\documents and settings\All Users\Application Data\16369064

REGISTRY::
[-HKLM\~\startupfolder\c:^documents and settings^hp_administrator^start menu^programs^startup^fmnupd32.exe]

DRIVER::
bgttvqztrvjupzl
xlwzfptw

DDS::
TB: {4322A444-92F8-4C3E-BD4C-013BA51E2871} - No File

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-------------------------------------------------------------------------

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire PRO 4.18.6). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

Please uninstall them via add/remove program at the CONTROL PANEL:
LimeWire PRO 4.18.6

Then..

Did you install this one? Otherwise, uninstall it.

AutoUpdate

-----------------------------------------------------------------------

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

------------------------------------------------------------------------

How's your computer now?


In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions

Mark

[presser]

Hi Mark, I did as you said but I could not find AutoUpdate to uninstall. I never installed this myself. Something has been blocking my Norton Anti Virus from fixing Windows Automatic Update and this may be it. It appears that the overclick.cn is gone. I tried several times to get to web-sites and they were all successfull. But it looks like I still have something.

Here are my logs

C:\Program Files\New Product\Hmm.exe Win32/Yabinder.20 trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruihjatkqch.dll.vir Win32/Olmarik.JU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir a variant of Win32/Kryptik.YT trojan

[mas_pogi]

hi.

Quote:

I did as you said but I could not find AutoUpdate to uninstall.

That's ok.

----------------------------------------------------------------------
Do not edit the result. Please attach the complete log of ESET in your next reply


-----------------------------------------------------------------------

Quote:

Something has been blocking my Norton Anti Virus from fixing Windows Automatic Update and this may be it.

What do you mean by that? You mean you can't update your windows?

------------------------------------------------------------------------

Please go to: VirusTotal

• On the page you'll find a Browse button.
  
• Next to the Browse button you'll see a box to enter text.
• Please copy/paste the following bolded text into the box:
  
  c:\documents and settings\All Users\Application Data\16369064\16369064.exe
  
  
• Then click the Send File button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analysed: click Reanalyse file now
• Once scanned, copy and paste the results in your next reply.

-----------------------------------------------------------------------

In your reply, please post


Complete ESET scan result <---attached
Virustotal result
Answer to my questions

Mark

[presser]

Hi Mark, Yes, My Norton has a red X at the bottom of my computer saying it cannot fix the problem of turining on my windows update.

Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File 16369064.exe_ received on 2009.08.02 11:56:33 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.02 -
AhnLab-V3 5.0.0.2 2009.08.01 -
AntiVir 7.9.0.238 2009.07.31 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.08.01 -
Avast 4.8.1335.0 2009.08.01 -
AVG 8.5.0.406 2009.08.02 -
BitDefender 7.2 2009.08.02 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.08.02 -
Comodo 1838 2009.08.02 -
DrWeb 5.0.0.12182 2009.08.02 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6650 2009.08.01 -
F-Prot 4.4.4.56 2009.08.01 -
F-Secure 8.0.14470.0 2009.08.01 -
Fortinet 3.120.0.0 2009.08.02 -
GData 19 2009.08.02 -
Ikarus T3.1.1.64.0 2009.08.02 -
Jiangmin 11.0.800 2009.08.02 -
K7AntiVirus 7.10.808 2009.08.01 -
Kaspersky 7.0.0.125 2009.08.02 -
McAfee 5695 2009.08.01 -
McAfee+Artemis 5695 2009.08.01 -
McAfee-GW-Edition 6.8.5 2009.08.02 -
Microsoft 1.4903 2009.08.02 -
NOD32 4298 2009.08.02 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.08.02 -
Panda 10.0.0.14 2009.08.02 -
PCTools 4.4.2.0 2009.08.01 -
Prevx 3.0 2009.08.02 -
Rising 21.40.62.00 2009.08.02 -
Sophos 4.44.0 2009.08.02 -
Sunbelt 3.2.1858.2 2009.08.02 -
Symantec 1.4.4.12 2009.08.02 -
TheHacker 6.3.4.3.375 2009.08.01 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.08.02 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.07.31 -
Additional information
File size: 33 bytes
MD5...: 892932e7a6936da749eb8cb9cbd63c25
SHA1..: 50e7c151d6ddb0adfef6c79a75abfc59882e1542
SHA256: cbde260b3c38f905dd1a317176752bc8d749bfe5e1a6f3f0b30cc62fa3883570
ssdeep: 3:GHH9S0VEVAn:29S0VEqn

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

[presser]

Mark, I now have a green check on my Norton. - Awesome. Hasn't been a green check for months. You are the best. Let me know what else I need to do.

Thanks

[mas_pogi]

hi.

Quote:

Mark, I now have a green check on my Norton. - Awesome. Hasn't been a green check for months. You are the best. Let me know what else I need to do.

Good.

Kindly delete this folder.

C:\Program Files\New Product


The ESET log you posted is not the original log. Please attach C:\Program Files\Eset\Eset Online Scanner\log.txt. PLease do not edit it.

Mark

[presser]

Ok - I deleted the new program folder

I can't ssem to attach it but I think this is it

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# MyIE.exe=0, 9, 27, 68
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=32ed7855f3eecb44b555129fa555749a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-02 03:50:44
# local_time=2009-08-01 11:50:44 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 37 100 89 104564375000
# scanned=117729
# found=4
# cleaned=0
# scan_time=7681
C:\Program Files\New Product\Hmm.exe Win32/Yabinder.20 trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruihjatkqch.dll.vir Win32/Olmarik.JU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir a variant of Win32/Kryptik.YT trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP129\A0105176.dll Win32/Olmarik.JU trojan 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=6
# MyIE.exe=0, 9, 27, 68
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=32ed7855f3eecb44b555129fa555749a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-02 09:47:34
# local_time=2009-08-02 05:47:34 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 21 100 89 138652031250
# scanned=118075
# found=3
# cleaned=0
# scan_time=7908
C:\Program Files\New Product\Hmm.exe Win32/Yabinder.20 trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruihjatkqch.dll.vir Win32/Olmarik.JU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir a variant of Win32/Kryptik.YT trojan 00000000000000000000000000000000 I

[presser]

Hope this is it.

[mas_pogi]

hi.

Good job.

ESET found infected files in System restore. They don't pose a problem unless we manually restore them. Qoobox is our tool quarantine folder. They will be purge in my succeeding instructions.


Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   
   
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Don't forget to enable all your security applications.
Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

[presser]

Mark, Thanks for all of your help. I can't thank you enough!!!

Hope you have a great week.

[mas_pogi]

hi.

It is my pleasure to help you.

Surf safely.

Since the problem appears to be resolved, it will now be archived.


Mark