Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Need Help Removing "Personal Antivirus" (Rogue)

This is a discussion on Need Help Removing "Personal Antivirus" (Rogue) within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, A Friend of mine asked me to look at their computer because they thought they had a virus. You


 
 
Thread Tools Search this Thread
Old 10-13-2009, 10:34 AM   #1
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



Hello,

A Friend of mine asked me to look at their computer because they thought they had a virus.


You guys have helped me before and after looking in to their PC and doing a little research, I realized I would need your help again.

This rogue antivirus program called Personal Antivirus is on their computer. It keeps telling them they have a trojan and they need to "click here" to fix it. And of course, they want a credit card to bill you for "more files".

The other odd thing is that it appears to be blocking access to the internet. I'll try to access a random web page or even their DSL modem and it behaves as if it's "trying" to go to the requested address but then it comes up with a blank page and at the top it says "blocked"

They've got all kinds of crap software on here like different toolbars that I'd like to get rid of as well as some sort of proprietary browser from comcast. (and they no longer have cable, they switched to DSL)

I took their computer home as I know this is going to be a few days worth of going back and forth and I've got it set up next to me. (isolated from my network).

Per the instructions, here is the text from DDS.txt ...


DDS (Ver_09-10-13.01) - NTFSx86
Run by JoviFan123 at 20:18:52.18 on Mon 10/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.123 [GMT -5:00]

AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\NetFilter.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JoviFan123\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer presented by Comcast
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {4115122b-85ff-4dd3-9515-f075bede5eb5} - PBlockadeHelper Class
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: &Helper: {a77d3539-581d-450c-9e44-a84c415a6172} - c:\windows\system32\msxmlm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Gamevance Text: {beac7dc8-e106-4c6a-931e-5a42e7362883} - c:\program files\gamevance\gvtl.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: IEFriendly Class: {d240dc29-c093-4388-b71f-a7103c796b0c} - c:\program files\oemji\oemjisearchplus\OemjiPls.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar1.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: {804DB5C7-31E6-4885-850A-F1941B58A4C7} - No File
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar1.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,[email protected]
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [PrnSys Executable] c:\program files\hp\digital imaging\hp print screen\PrnSys.exe
mRun: [MSDRV] NetFilter.exe
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Gamevance] c:\program files\gamevance\gamevance32.exe a
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [blrjjlcc] c:\windows\system32\akussorp.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxps://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - hxxps://secure.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: hnuhisgs - c:\documents and settings\jovifan123\application data\hnuhisgs.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-10-12 20:09 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-10-12 20:09 21,504 a------- c:\windows\system32\hidserv.dll
2009-10-12 17:25 <DIR> --dsh--- c:\documents and settings\jovifan123\IECompatCache
2009-10-08 13:19 <DIR> --d----- c:\docume~1\jovifa~1\applic~1\AOL

==================== Find3M ====================

2009-08-05 09:45 299,028 a--sh--- c:\docume~1\jovifa~1\applic~1\hnuhisgs.dll
2009-08-05 09:45 32,276 a------- c:\windows\system32\PSetup.exe
2009-07-29 17:11 379,392 a------- c:\windows\system32\msxmlm.dll
2009-07-28 12:51 122,880 a------- c:\windows\system32\NetFilter.exe

============= FINISH: 20:19:54.09 ===============


Also worth noting, I misunderstood the instructions for GMER. I missed the part about "If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.. "

I accidentally followed the instructions for a more complete scan even though I did NOT see any warning about rootkit activity. I'd be happy to rerun it without doing that if it makes it easier on you.


Ark.txt and attach.txt are in the attachment attach.zip

Thanks in advance for your help!
Attached Files
File Type: zip Attach.zip (5.3 KB, 16 views)
Lord_Mort is offline  
Sponsored Links
Advertisement
 
Old 10-16-2009, 05:06 PM   #2
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



This is the friendly 72 hour bump.
Lord_Mort is offline  
Old 10-17-2009, 05:00 PM   #3
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hi -

Just to clarify

The machine has no internet access currently?

Do you have a USB stick or CD/R to transfer tools to the affected machine?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Sponsored Links
Advertisement
 
Old 10-17-2009, 05:22 PM   #4
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



Hi, yes, that is correct. I am using a CD-WR to transfer the files.
Lord_Mort is offline  
Old 10-17-2009, 06:46 PM   #5
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download these files, and transfer them to the affected machine.

Please do this:
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Place combofix.exe on your Desktop


    Next, please do this:

    Go to Microsoft's website and download this file:

    https://www.microsoft.com/downloads/d...displaylang=en





    Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

    As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  2. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  4. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 07:15 PM   #6
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



I had a slight problem and I wanted to tell you about it before I proceed.

There was a combofix in MY D/L folder already from the last time you helped me. I Still downloaded from the link you provided me but my machine automatically named in combofix(2). I moved it to the other machine and when I dropped the MS file on there it gave me an error saying I can not rename it to combofix(2) please rename it to an alpha numeric format.
I assume WinXP (his machine) did not like the way Vista (my machine) renamed the file with the parentheses but I want to be very careful so I'm stopping here.

Is it okay to just rename combofix(2) to combofix and try again?
Lord_Mort is offline  
Old 10-17-2009, 07:19 PM   #7
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Quote:
There was a combofix in MY D/L folder already from the last time you helped me
Delete it, please. Old versions should never be kept around.

Quote:
Is it okay to just rename combofix(2) to combofix and try again?
Should be ok to rename. ( ) are not acceptable characters. Windows will do that automatically if downloaded, usually via Firefox, without an option to save the file where you choose. When given such an option, usually we're given the choice to overwrite the existing file of the same name.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 07:52 PM   #8
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



It "appears" to have locked up. It generated the log file but when I tried to save it, it just froze. The mouse cursor still moves but its an hour glass. It's been about 5 minutes, how long should I give it?
Lord_Mort is offline  
Old 10-17-2009, 07:55 PM   #9
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



ComboFix completed it's run, the log.txt opened....and now, the machine is hung up?

If so.....

Can you access task manager? Kill the notepad file, the log is already saved at C:\ComboFix.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 08:03 PM   #10
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



I can access task manager, and I closed notepad but it's still hung up. It's almost as if windows didn't load right. The notepad screen is still displayed even though the program is no longer running.

I prolly just need to re-boot but I dont want to do anything without your approval.
Lord_Mort is offline  
Old 10-17-2009, 08:07 PM   #11
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Any .cfexe processes showing in taskmgr? If so, end process on them as well. Or other unusual names? Let me know. I don't like to force a reboot but if that's the only option....
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 08:08 PM   #12
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



No, everything is an exe except System and System Idle Proccess
Lord_Mort is offline  
Old 10-17-2009, 08:10 PM   #13
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



You know what, I saw earlier after the re-boot that a program called Dr. Watson encountered an error and had to close yet I see "drwtsn32.exe" in here twice. Should I end them?
Lord_Mort is offline  
Old 10-17-2009, 08:11 PM   #14
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



As long as the Recovery Console successfully installed, and ComboFix went through it's entire routine of creating a System Restore point, and an ERUNT registry backup, and if it seems the machine is just hung and nothing else will work, go ahead and restart.

Hmmm, just saw your last post...end DrWatson, see what happens...
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 08:13 PM   #15
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



Yup that was it. Here is the log....

ComboFix 09-10-16.09 - JoviFan123 10/17/2009 21:25.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.162 [GMT -5:00]
Running from: c:\documents and settings\JoviFan123\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JoviFan123\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JOVIFA~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\JoviFan123\Desktop\Personal Antivirus.lnk
c:\program files\Gamevance\gaMEvancelib32.dll
c:\program files\Gamevance\gvTL.dll
c:\program files\oemji
c:\program files\oemji\INSTALL.LOG
c:\program files\oemji\Oemji.ico
c:\program files\oemji\oemji.ini
c:\program files\oemji\OemjiSearchPlus\OemjiSearchPlus.ini
c:\program files\oemji\OemjiSearchPlus\Unreg.bat
c:\program files\oemji\OemjiUninstall.exe
c:\program files\oemji\referral.htm
c:\program files\oemji\Toolbar\OemjiSrc.dll
c:\program files\oemji\Toolbar\PopupBlocker\BlockLst.dat
c:\program files\oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.chm
c:\program files\oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe
c:\program files\oemji\Toolbar\WebPoi.dll
c:\program files\oemji\UNWISE.EXE
c:\program files\oemji\watermark.bmp
c:\program files\oemji\wse.ini
c:\recycler\S-1-5-21-3648271971-337509874-1570237250-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\8abe8.msi
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\msxmlm.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\NetFilter.exe
c:\windows\system32\ps2.bat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-13 01:09 . 2004-08-04 06:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-10-13 01:09 . 2004-08-04 06:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-sh--w- c:\documents and settings\JoviFan123\IECompatCache
2009-10-08 18:19 . 2009-10-08 18:19 -------- d-----w- c:\documents and settings\JoviFan123\Application Data\AOL
2009-10-08 18:18 . 2009-10-08 18:18 -------- d-----w- c:\documents and settings\JoviFan123\Application Data\Sonic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:34 . 2009-07-29 22:04 -------- d-----w- c:\program files\Gamevance
2009-10-08 17:47 . 2004-04-01 08:50 -------- d-----w- c:\program files\Quicken
2009-09-30 13:54 . 2007-01-17 13:53 -------- d-----w- c:\program files\Lx_cats
2009-08-05 14:45 . 2009-08-05 14:45 299028 --sha-w- c:\documents and settings\JoviFan123\Application Data\hnuhisgs.dll
2009-08-05 14:45 . 2009-08-05 14:45 32276 ----a-w- c:\windows\system32\PSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-24 185896]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-04-01 32881]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-01 98304]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Gamevance"="c:\program files\Gamevance\gamevance32.exe" [2009-07-29 105984]
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-10-1 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hnuhisgs]
2009-08-05 14:45 299028 --sha-w- c:\documents and settings\JoviFan123\Application Data\hnuhisgs.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129494659\\ee\\AOLServiceHost.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129494659\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-blrjjlcc - c:\windows\System32\akussorp.exe
AddRemove-Oemji Toolbar - c:\program files\Oemji\OemjiUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-10-17 21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\documents and settings\JoviFan123\Application Data\hnuhisgs.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'Explorer.EXE'(344)
c:\windows\system32\WININET.dll
c:\documents and settings\JoviFan123\Application Data\hnuhisgs.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopCommon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\gearsec.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\combofix\hidec.exe
c:\windows\system32\drwtsn32.exe
c:\windows\system32\drwtsn32.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-10-18 21:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 02:44

Pre-Run: 135,525,109,760 bytes free
Post-Run: 135,833,554,944 bytes free

208 --- E O F --- 2009-10-12 23:33
Lord_Mort is offline  
Old 10-17-2009, 08:19 PM   #16
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Great! Good thinking.


Will we be able to connect this machine to the internet directly at any time during the course of these procedures? Some steps I'd like to take will be easier, or require, an active internet connection.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 08:20 PM   #17
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



Quote:
Originally Posted by tetonbob View Post
Great! Good thinking.
Thanks!


Yeah, that's do-able. I could just take the ethernet cable out of my PC and put it in his.
Lord_Mort is offline  
Old 10-17-2009, 08:24 PM   #18
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, great. These files are most likely malware, but I'd like to see if so, and what family, before collecting samples in a next step. So, first.....

Connect the machine to the 'net

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following:

    c:\documents and settings\JoviFan123\Application Data\hnuhisgs.dll


  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.
  • Please repeat for the following files:

    • c:\windows\system32\PSetup.exe
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-17-2009, 08:39 PM   #19
Registered Member
 
Join Date: Sep 2007
Location: Chicago
Posts: 83
OS: Win 7 Pro 64



This is weird.. it wont let me pste ANYTHING in to the text field next to the browse buton. So, I tried to USE the browse buton to get to the file but I do not see an "application Data" folder in C:\Docs& Settigs\jovifan123
Lord_Mort is offline  
Old 10-17-2009, 08:40 PM   #20
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Make sure Hidden Folders and Files are enabled.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:37 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts