Help removing 'iexplore.exe' ghost audio virus/malware/spyware

[AlxSTi]

I have an unusual virus/spyware/malware running on my computer and I've never seen anything like it. At random intervals audio will start playing. One time, it sounds like a news broadcast, another time it sounds like some Japanese song, or just people talking. I've noticed that whenever the "ghost audio" is playing, I pull up the Windows Task Manager to see if some foreign task in causing this, but it shows the task "iexplorer.exe" running and its Mem Usage is upwards of 50,000 K, which leads me to believe that the software is running through it. I use FireFox and never Internet Explorer, so there is no reason the real "iexplorer.exe' should be running in the background.

I've ran McAfee virus scan, Ad-Aware SE, Eusing registry cleaner, and StopZilla, but none of these programs have located or deleted it. Below is the DDS.txt copy & pasted and I've attached the Attact.txt file. For some reason the GMER.exe program didn't appear to do anything when I double clicked the extracted .exe file. It looked like it was running in the task manager, but there was no GUI pop-up. I hope someone can help...


DDS (Ver_09-07-30.01) - NTFSx86
Run by Alex at 17:52:35.31 on Sat 08/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.557 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.msn.com
uWindow Title = Microsoft Internet Explorer provided by EarthLink, Inc.
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://ie.search.msn.com
mSearch Bar = res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%67%6d%62%6c%6d%62%2e%64%6c%6c/%73%70%2e%68%74%6d%6c
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uCustomizeSearch = hxxp://ie.search.msn.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - AskBar BHO
BHO: {6FBB1DA6-6685-498D-A373-B4681647B0DF} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Gamevance Text: {beac7dc8-e106-4c6a-931e-5a42e7362883} - Gamevance Text
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: <NO NAME> =
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=GRfox000
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - hxxp://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?ada0a9906014f12baa32b00577f8f5bb61eb77ee48d25410c476937b5be15e1f2dab17bed4f981a5becd38a26ec1e0feb4ccb04c1f99ca3daf10d67336038ce27905a3e95e:bf757c4be4c13d001a1c2781df7d3354
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: msmdev - {5AD415E1-0FB2-4C56-9426-5F5F5E0487AF} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\8rfuemcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-5-23 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-5-23 144704]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2002-12-20 135168]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-5-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-5-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-5-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-5-23 40552]
S3 KID_USB;Kensington Input Devices USB filter driver;c:\windows\system32\drivers\KID_USB.sys [2001-9-5 16344]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-5-23 34216]

=============== Created Last 30 ================

2009-08-15 03:08 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-13 15:22 <DIR> --d----- c:\program files\Trend Micro
2009-08-11 14:39 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-09 16:45 272 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-09 15:01 4,128 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-09 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-09 14:55 <DIR> --d----- c:\program files\common files\iS3
2009-08-09 10:44 <DIR> --d----- c:\program files\PrivacyCenter
2009-08-07 12:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-08-07 12:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-05 09:41 <DIR> --d----- c:\program files\a-squared Anti-Malware
2009-07-24 04:39 104,512 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-08 15:48 153,874 a------- c:\windows\hppins07.dat
2009-07-08 15:12 153,833 a------- c:\windows\system32\hppins07.dat
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-25 08:01 89,256 -------- c:\windows\system32\ElbyCDIO.dll
2006-09-24 12:51 81,920 a------- c:\docume~1\alex\applic~1\ezpinst.exe
2006-09-24 12:51 47,360 a------- c:\docume~1\alex\applic~1\pcouffin.sys
2002-12-20 10:37 32 ac-sh--- c:\windows\{1E54DF87-E1C1-493A-BF45-C07DD5F6A2D3}.dat
2002-12-20 10:38 32 ac-sh--- c:\windows\{1EE0679B-1433-455E-974C-2A0F89C3198F}.dat
2002-12-20 10:35 32 ac-sh--- c:\windows\{60D2A316-EED7-4758-A463-502E81732862}.dat
2002-12-20 10:36 32 ac-sh--- c:\windows\{85DE1004-7680-4908-828D-7804A9816154}.dat
2002-12-20 10:35 32 ac-sh--- c:\windows\{A4062CFE-63B3-4BFF-8A4D-326A8776A7FD}.dat
2002-12-20 10:38 32 ac-sh--- c:\windows\{FEA2FCB4-2436-47C4-9E29-94B81A320AD9}.dat
2004-12-23 01:00 56 -c-shr-- c:\windows\system32\8F46AE1BEE.sys
2006-09-03 15:51 11,690 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2002-12-20 10:37 32 ac-sh--- c:\windows\system32\{36FE474C-BEB9-422A-9D40-335953463A45}.dat
2002-12-20 10:38 32 ac-sh--- c:\windows\system32\{39519AE4-C6DD-43B2-BE3A-AA610748A931}.dat
2002-12-20 10:36 32 a--sh--- c:\windows\system32\{50ECA7A3-782F-424B-9E79-2D348F282D3D}.dat
2002-12-20 10:35 32 ac-sh--- c:\windows\system32\{6BC1246D-529B-4A82-B9B0-783B537CDC1E}.dat
2002-12-20 10:38 32 a--sh--- c:\windows\system32\{9BBF2E88-C85E-4879-80BA-FC30EC32996C}.dat
2002-12-20 10:35 32 ac-sh--- c:\windows\system32\{FEB26312-6743-4763-86C5-DBD46D9CDEA8}.dat
2008-08-26 14:28 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 17:54:43.93 ===============

[mas_pogi]

hi.

Lets try other Rootkit scan before we proceed with fixes.

Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and doubleclick on RootRepeal.exe to run it.

• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.
• The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report. Save it to your desktop so you may find it easily.

Please attach the report in your next reply.

Mark

[AlxSTi]

Thanks for the reply Mark - I am unable to run RootRepeal. When I attempted to open the program I got an error pop-up that said "Could not read boot sector. Try adjusting the disc level access level in the options dialog.' After closing that message I initiated the scan as instructed, but it was stuck at the 'initializing..' stage for about 10 minutes until I got a 'virtual memory low' error and I closed everything..

[AlxSTi]

Third try.. I adjusted the disk level access from low to high and reran the scan. During the scan I got about 4 or 5 of those 'boot sector' errors and at the end of the scan I got an 'unable to scan registry' message. I've attached the report.. although I don't know how helpful it will be.

[mas_pogi]

hi.

Welcome to TSF once again.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe

-------------------------------------------------------------------------
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

-----------------------------------------------------------------------
I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

----------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  http://img.photobucket.com/albums/v6...ee_disable.gif
  
  McAfee must be properly disabled or it will interfere with what ComboFix needs to do to remove this rootkit.
  
  Open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
  
  
• Double click on Combo-Fix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

[AlxSTi]

I've attached the ComboFix.txt log.

Thanks!

[mas_pogi]

hi.

Nice. Lets continue..

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

FILE::
c:\windows\S5200D52D.tmp
FOLDER::
c:\program files\PrivacyCenter
c:\program files\Coupons
REGISTRY::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
DDS::
uInternet Connection Wizard,ShellNext = iexplore
mSearch Bar = res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%67%6d%62%6c%6d%62%2e%64%6c%6c/%73%70%2e%68%74%6d%6c

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-----------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.


Foistware
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

Please also delete this folder.

c:\program files\Viewpoint


P2P program ( Perils of P2P File Sharing )

LimeWire 5.2.13


Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6

Your Java is out of date.

Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

-----------------------------------------------------------------------
Lets check if there are still remnant of the infection.

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

--------------------------------------------------------------------

How's your computer?


In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions

Mark

[AlxSTi]

Mark,

Below are the ESET scan results. It looks like it found 7 infected files.. I've also attached the combofix log file. I uninstalled and removed the files you mentioned, including LimeWire, the outdated java runtimes, and Bodog (which ESET found). I updated Java as you instructed, but I also noticed that there are 2 folders left in c:\program files\java named 'jre1.5.0_06' and 'jre6'. I assume these can be manually deleted as well, but I want to make sure before I do so.

I don't hear or see any trace of the 'iexplore.exe' program I was originally having. Things are looking good.. Once again, I am very grateful for your help!

------------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=45102df9d9f4e345a19d6dfa421069ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-17 11:42:31
# local_time=2009-08-17 07:42:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 37 100 88 119423631670390
# compatibility_mode=5889 61 66 100 749921611670390
# scanned=117082
# found=7
# cleaned=0
# scan_time=5905
C:\Program Files\Bodog Casino\Install.exe a variant of Win32/CasOnline application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqpbiomyqoe.dll.vir Win32/Olmarik.HZ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrwbwwyrgie.dll.vir Win32/Olmarik.KI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtqskwpduri.dll.vir Win32/Olmarik.JQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACoyqmupxdoe.sys.vir Win32/Olmarik.JQ trojan 00000000000000000000000000000000 I
F:\_Restore\TEMP\A1864204.CPY a variant of Win32/Adware.WhenUSave application 00000000000000000000000000000000 I
F:\_Restore\TEMP\A1870335.CPY a variant of Win32/Adware.WhenUSave application 00000000000000000000000000000000 I

[mas_pogi]

hi.

We are done here.

Quote:

I updated Java as you instructed, but I also noticed that there are 2 folders left in c:\program files\java named 'jre1.5.0_06' and 'jre6'.

You can delete the jre1.5.0_06 folder only.
jre6 folder is the latest one.

Those that are found by ESET in Qoobox are harmless. Qoobox is our tool quarantine folder.

Using Windows explorer, locate and delete the bolded files and folder
Kindly delete this

folder:
C:\Program Files\Bodog Casino

Files:
F:\_Restore\TEMP\A1864204.CPY
F:\_Restore\TEMP\A1870335.CPY

Apart from that, you logs are already clean.
------------------------------------------------------------------------

Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   
   
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Don't forget to enable all your security applications.
Please respond to this thread one more time so we can mark this thread as resolved.


Maraming salamat.

Mark

[AlxSTi]

Excellent! Maraming salamat!

[mas_pogi]

hi.

It is my pleasure to help you.

Surf safely.

Since the problem appears to be resolved, it will now be archived.


Mark