Tech Support banner

Status
Not open for further replies.
1 - 18 of 18 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter #1
Hi there,

I am trying to help a friend fix his computer and it appears it is infected with some sort of virus or worm... (I think he clicked on an attachment to an email disguised as either a read receipt for an email or a DHL delivery receipt - unfortunately, both attachments seem somewhat plausible!) - and it has been running slow ever since. Also, task manager refuses to launch, making it difficult to stop running applications.

He has anti-virus installed (CA) and has recently installed Microsoft software (ie: Windows Defender). Anyway, after the logon prompt, a dialog box with the label 'Spyware Alert' advises that Worm.Win32.Netsky is detected on the machine. After that, a dialog headed 'RUNDLL' advises that C:\Windows\alifijoc.dll could not be found. Then a Windows Defender warning advises that Trojandownloader:WIn32/Fakeinit has been found.

The PC is a HP laptop running Win XP Pro SP3.

The DDS log is pasted below and the Attach.txt and ark.txt files are attached.

Thank you so much in advance for any assistance you can provide.

______________________________________________________________


DDS (Ver_09-12-01.01) - NTFSx86
Run by Manny Hill at 22:10:59.07 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.264 [GMT 11:00]

AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\Manny Hill\Desktop\dds.scr
C:\Program Files\Google\Update\GoogleUpdate.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.news.com.au/heraldsun/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [TFNF5] TFNF5.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TFncKy] TFncKy.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service

mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio se dvd\uvPL.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [Iboxukem] rundll32.exe "c:\windows\alifijoc.dll",Startup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mannyh~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{91120000-0031-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli psqlpwd dbdbdtic.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mannyh~1\applic~1\mozilla\firefox\profiles\23pcjfso.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.news.com.au/heraldsun/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {6CAD369F-89A0-446C-B5CF-A28FAAE84EAE} - c:\documents and settings\manny hill\local settings\application data\{6cad369f-89a0-446c-b5cf-a28faae84eae}\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-10-21 107000]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-3-23 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-10 6528]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-8-6 72184]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-9-11 5888]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-10 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-10 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-10 739696]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-10 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-10 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-10 144696]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-1-10 128240]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-2-28 53032]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-27 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-9-11 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-20 134016]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-9-10 1141240]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-10-21 801272]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-9-2 289272]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-10 292080]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-23 35968]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-10-21 203768]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-10 133520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-9 135664]

=============== Created Last 30 ================

2010-01-21 11:01:45 0 ----a-w- c:\windows\system32\helper32.dll
2010-01-21 10:38:20 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-21 08:45:43 0 ----a-w- c:\windows\system32\18467.exe
2010-01-21 08:21:12 120 ----a-w- c:\windows\Gyoguriz.dat
2010-01-21 08:21:12 0 ----a-w- c:\windows\Ywopohofusoc.bin
2010-01-21 08:18:02 0 ----a-w- c:\windows\system32\41.exe
2010-01-21 08:17:34 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-21 08:17:21 2931 ----a-w- c:\windows\system32\warning.html
2010-01-21 08:17:20 31232 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-21 08:17:20 31232 ----a-w- c:\windows\system32\smss32.exe
2010-01-13 08:10:28 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-21 07:52:13 8 ----a-w- c:\docume~1\mannyh~1\applic~1\avdrn.dat
2010-01-14 00:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-11-26 21:06:53 111856 ----a-w- c:\windows\system32\isafprod.dll

============= FINISH: 22:11:43.04 ===============
 

Attachments

·
Registered
Joined
·
426 Posts
Hello and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.
 

·
Registered
Joined
·
426 Posts
Hello jakster123,

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

=========================================================

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

=========================================================

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

=========================================================

I see that you have two Antivirus Programs installed.

CA Anti-Virus
Microsoft Security Essentials


Please choose one and uninstall the other via Add/Remove Programs in the Control Panel.

It may seem like more protection but they will conflict with each other causing system slowdowns and instability.

=========================================================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

To disable CA Anti-Virus:

  1. Right click on CA Antivirus icon near the clock (a shield).
  2. Click on CA Anti-Virus > Snooze Anti-Virus Protection.
  3. When prompted, enter in 30 and click on Snooze.
Get help with disabling other protection programs Here

Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #4
Hi there,

Thanks so much for the response... I have managed to run Combifix and have attached the log file combofix.txt.

Cheers,
Jack.


ComboFix 10-02-03.04 - Manny Hill 04/02/2010 19:20:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.331 [GMT 11:00]
Running from: c:\documents and settings\Manny Hill\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Manny Hill\Application Data\avdrn.dat
c:\documents and settings\Manny Hill\Local Settings\Application Data\{6CAD369F-89A0-446C-B5CF-A28FAAE84EAE}
c:\documents and settings\Manny Hill\Local Settings\Application Data\{6CAD369F-89A0-446C-B5CF-A28FAAE84EAE}\chrome.manifest
c:\documents and settings\Manny Hill\Local Settings\Application Data\{6CAD369F-89A0-446C-B5CF-A28FAAE84EAE}\chrome\content\_cfg.js
c:\documents and settings\Manny Hill\Local Settings\Application Data\{6CAD369F-89A0-446C-B5CF-A28FAAE84EAE}\chrome\content\overlay.xul
c:\documents and settings\Manny Hill\Local Settings\Application Data\{6CAD369F-89A0-446C-B5CF-A28FAAE84EAE}\install.rdf
c:\windows\EventSystem.log
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\smss32.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 08:13 . 2010-02-04 08:13 -------- d-----w- c:\windows\LastGood
2010-02-04 08:13 . 2009-08-06 08:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-04 08:13 . 2009-08-06 08:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-21 08:21 . 2010-01-21 08:21 120 ----a-w- c:\windows\Gyoguriz.dat
2010-01-21 08:21 . 2010-01-21 08:21 0 ----a-w- c:\windows\Ywopohofusoc.bin
2010-01-13 08:10 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 12:11 . 2010-01-09 12:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-09 12:06 . 2010-01-09 12:08 -------- d-----w- c:\documents and settings\Manny Hill\Local Settings\Application Data\Temp
2010-01-09 12:06 . 2010-01-09 12:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 09:34 . 2009-02-24 11:01 -------- d-----w- c:\program files\LimeWire
2010-02-01 22:27 . 2009-02-24 11:01 -------- d-----w- c:\documents and settings\Manny Hill\Application Data\LimeWire
2010-01-21 08:17 . 2010-01-21 08:17 8 ----a-w- c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat
2010-01-14 09:55 . 2007-12-28 07:48 -------- d-----w- c:\documents and settings\Manny Hill\Application Data\Apple Computer
2010-01-14 09:55 . 2009-10-30 10:35 -------- d-----w- c:\program files\iTunes
2010-01-14 00:12 . 2009-10-02 22:59 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 12:09 . 2008-02-02 11:38 -------- d-----w- c:\program files\Google
2009-12-10 08:51 . 2009-12-10 08:51 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-05 12:00 . 2009-01-10 14:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-26 21:06 . 2009-01-10 10:32 111856 ----a-w- c:\windows\system32\isafprod.dll
2009-11-21 15:51 . 2007-04-22 19:43 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 04:04 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-08 68856]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-25 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-28 126976]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"TFncKy"="TFncKy.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-02-28 2049320]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"NDSTray.exe"="NDSTray.exe" [BU]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-10 374000]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-11-26 271600]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\Manny Hill\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2007-4-28 845584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 05:46 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 07:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd dbdbdtic.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [21/10/2008 1:36 PM 107000]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [23/03/2007 7:07 AM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [10/03/2007 9:23 AM 6528]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/08/2008 12:42 PM 72184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/09/2007 10:53 AM 5888]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [10/01/2009 9:32 PM 128240]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/05/2006 7:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/05/2006 6:59 PM 33024]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [28/02/2008 3:04 PM 53032]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/05/2006 6:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [27/03/2007 6:22 AM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/09/2007 10:53 AM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [20/02/2007 6:15 AM 134016]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/09/2008 11:52 AM 1141240]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [21/10/2008 1:36 PM 801272]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2/09/2008 1:53 PM 289272]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 8:19 PM 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23/04/2007 7:20 AM 35968]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [21/10/2008 1:36 PM 203768]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/01/2010 11:06 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 01:34]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 12:06]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 12:06]

2010-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:20]

2010-02-04 c:\windows\Tasks\User_Feed_Synchronization-{7368AE2D-EF80-4EAC-BF6D-CC483A457ABB}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.news.com.au/heraldsun/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Manny Hill\Application Data\Mozilla\Firefox\Profiles\23pcjfso.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.news.com.au/heraldsun/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKLM-Run-Iboxukem - c:\windows\alifijoc.dll
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\uninstall_plugin.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1660)
c:\windows\system32\UmxWnp.Dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(1892)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\dbdbdtic.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-04 19:31:11
ComboFix-quarantined-files.txt 2010-02-04 08:31

Pre-Run: 45,954,588,672 bytes free
Post-Run: 50,192,273,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

- - End Of File - - C542DD943DA6182F89A7448BD14C3D12
 

Attachments

·
Registered
Joined
·
426 Posts
Please go to: VirusTotal

  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following:
c:\windows\dbdbdtic.dll

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the results in your next reply, or simply provide the link to the results page.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #6
Hi,

I have now scanned the file at virustotal.... here is a link to the results:

http://www.virustotal.com/analisis/57b9da646e63769291873075bf2e9147437cdc59829616eb4f79196a94b46f53-1265325733

I have also pasted the results below for convenience.

Sorry for the slow response... we are obviously in different time zones and I am limited as to when I can respond while at work. However, that you so much for your time and patience.

Cheers,
Jack.


File dbdbdtic.dll received on 2010.02.04 23:22:13 (UTC)
Current status: Finished
Result: 14/40 (35%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.04 Trojan.Packed.Hiloti!IK
AhnLab-V3 5.0.0.2 2010.02.04 -
AntiVir 7.9.1.158 2010.02.04 TR/Hiloti.38912D.10
Antiy-AVL 2.0.3.7 2010.02.04 -
Authentium 5.2.0.5 2010.02.04 -
Avast 4.8.1351.0 2010.02.04 Win32:Malware-gen
AVG 9.0.0.730 2010.02.04 Hiloti.L
BitDefender 7.2 2010.02.04 -
CAT-QuickHeal 10.00 2010.02.04 -
ClamAV 0.96.0.0-git 2010.02.04 -
Comodo 3821 2010.02.04 -
DrWeb 5.0.1.12222 2010.02.04 -
eSafe 7.0.17.0 2010.02.04 -
eTrust-Vet 35.2.7283 2010.02.04 -
F-Prot 4.5.1.85 2010.02.05 -
F-Secure 9.0.15370.0 2010.02.04 Packed:W32/Mufanom.A
Fortinet 4.0.14.0 2010.02.04 -
GData 19 2010.02.05 Win32:Malware-gen
Ikarus T3.1.1.80.0 2010.02.04 Trojan.Packed.Hiloti
Jiangmin 13.0.900 2010.02.04 -
K7AntiVirus 7.10.966 2010.02.03 -
Kaspersky 7.0.0.125 2010.02.05 -
McAfee 5882 2010.02.04 -
McAfee+Artemis 5882 2010.02.04 -
McAfee-GW-Edition 6.8.5 2010.02.04 Trojan.Hiloti.38912D.10
Microsoft 1.5406 2010.02.05 Trojan:Win32/Hiloti.gen!D
NOD32 4836 2010.02.04 a variant of Win32/Cimag.BM
Norman 6.04.03 2010.02.04 -
nProtect 2009.1.8.0 2010.02.04 -
Panda 10.0.2.2 2010.02.04 Suspicious file
PCTools 7.0.3.5 2010.02.04 -
Prevx 3.0 2010.02.05 Low Risk Adware
Rising 22.33.03.04 2010.02.04 -
Sophos 4.50.0 2010.02.04 -
Sunbelt 3.2.1858.2 2010.02.04 -
TheHacker 6.5.1.0.180 2010.02.04 -
TrendMicro 9.120.0.1004 2010.02.04 -
VBA32 3.12.12.1 2010.02.04 Bscope.Malware-Cryptor.Tip
ViRobot 2010.2.4.2172 2010.02.04 -
VirusBuster 5.0.21.0 2010.02.04 Trojan.Hiloti.EFC
Additional information
File size: 38912 bytes
MD5...: e9bc101b62785f00d8da804c530984a4
SHA1..: 36bc4f8f6f147034dc60b791eaef93a8da9a7d7e
SHA256: 57b9da646e63769291873075bf2e9147437cdc59829616eb4f79196a94b46f53
ssdeep: 768:v88UCP2Kcb3nl2F9vCAs7UqTvKmvxUBhfi4SHpQl:IKqyZps7UqTvKmvx2Xl
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4fcc
timedatestamp.....: 0x4a85fb9f (Sat Aug 15 00:04:47 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8000 0x7400 7.56 870d9e2c84367f059e6ea315c6ae1f12
.data 0x9000 0x2000 0x1a00 6.94 8517b374655b3a1d71f71fbce660ca6d
.rsrc 0xb000 0x1000 0x400 3.12 efb5e6525d488ddcc2462b984a38c383
.reloc 0xc000 0x1000 0x200 1.88 7feb3df76fb272fff35972d28bad6ec5

( 4 imports )
> KERNEL32.dll: CloseHandle, ExitProcess, ExitThread, FindResourceA, GetACP, GetCommandLineA, GetDriveTypeA, GetExitCodeThread, GetLastError, GetModuleHandleA, GetNumberFormatA, GetOEMCP, GetPriorityClass, GetStartupInfoA, GetSystemInfo, HeapAlloc, HeapCreate, HeapFree, HeapReAlloc, MultiByteToWideChar, PulseEvent, RaiseException, ResetEvent, ResumeThread, RtlUnwind, SetLastError, SetThreadAffinityMask, SetUnhandledExceptionFilter, TlsAlloc, TlsFree, VirtualQueryEx, lstrcpynA
> msvcrt.dll: __p__commode, __set_app_type, _cexit, exit, free, strspn, __getmainargs
> user32.dll: BeginDeferWindowPos, DrawMenuBar, EnumChildWindows, ExitWindowsEx, GetDlgItem, GetMenuItemCount, SetCapture, wsprintfA, DefDlgProcA
> ole32.dll: CoCreateInstance

( 2 exports )
Direct3DCreate, GetEncryptionForAdapter
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: user
copyright....: Copyright _ 2006
product......: user DataAccessMgrAPI
description..: DataAccessMgrAPI
original name: DataAccessMgrAPI.dll
internal name: DataAccessMgrAPI
file version.: 1, 0, 0, 9
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=1B3F291D00B8BB0E98DA00470E75830010C71E32' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=1B3F291D00B8BB0E98DA00470E75830010C71E32</a>
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
 

·
Registered
Joined
·
426 Posts
Hello,

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

=========================================================

CA Anti-Virus is outdated. Is your subscription to CA is current?

It is very important that you keep your Anti Virus software updated. If you do not get regular updates (at least once a week) then you will be open to attacks by new malware that may have been released.

=========================================================

Durining the last ComboFix run your Anti-Virus was enabled. Did you have trouble disabling it?

To disable CA Anti-Virus:

  1. Right click on CA Antivirus icon near the clock (a shield).
  2. Click on CA Anti-Virus > Snooze Anti-Virus Protection.
  3. When prompted, enter in 30 and click on Snooze.
=========================================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/f100/help-cleaning-infected-pc-worm-win32-netsky-458145.html

Collect::
c:\windows\dbdbdtic.dll

File::
c:\windows\Gyoguriz.dat
c:\windows\Ywopohofusoc.bin
c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat

Folder::
c:\program files\LimeWire
c:\documents and settings\Manny Hill\Application Data\LimeWire
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

* Ensure you are connected to the internet and click OK on the message box.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #8 (Edited)
Hi,

Yes, I had some trouble with the anti-virus... I followed your instructions and set it to snooze for 30 mins. However, when I ran Combofix, it said the antivirus was still running. I again selected snooze for 30 mins and pressed OK in the Combofix dialog box. I received a final warning that it was still active (although no option to cancel) - I launched the antivirus program, went to options, disabled resident protection and then pressed 'apply'. I then pressed OK in the Combofix dialog, pretty confident that I had finally disabled the antivirus software - clearly I was wrong! Sorry for not detailing that for you last time.

(It was also difficult as the virus had disabled Task Manager so I was unsure if the software was running - Task Manager would not launch either from ctrl-alt-del, ctrl-shift-esc, Start-Run-C:\Windows\taskmgr.exe or directly from Explorer. It is now working however.)

I have tried to follow the instructions from your last post however, am having some problems... I firstly disable the antivirus, then dropped the CFScript.txt file onto Combofix. The dialog box opened and it started running through the steps. While that was occurring however, Explorer seemed to close down (that is, the task bar, Start button and all the desktop icons disappeared).... Combofix kept running and got to the point where it said it was creating a log file (and to not to launch any programs until Combofix was finished). It has now hung at that point for almost an hour...

I am not sure what to do now - should I force the PC to restart and try again? I will await futher instructions....
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hello, jakster123 -

Explorer seemed to close down (that is, the task bar, Start button and all the desktop icons disappeared
This is normal, and expected.


Combofix kept running and got to the point where it said it was creating a log file (and to not to launch any programs until Combofix was finished
This should only take a few minutes, unless something interferes.

Is the machine still in this condition? Will task manager open? If so, please let us know all the processes running, particularly any with extension cfxxe or cfexe

It's possible CA awoke and is preventing ComboFix from completing it's log write. Did you receive any messages from CA during this time?
 

·
Registered
Joined
·
9 Posts
Discussion Starter #10
Hi there,

Well... I left the PC as it was. However, after some time when I returned to check on its state, it had gone into hibernation - or at least appeared to (it is a laptop although running on mains power). When I woke the machine, it seemed to be restarting and booted into Windows.

I tried to follow your instructions again and the process completed this time without a problem - I have attached the combofix.txt file. (I hope this was the right thing to do!). There did not appear to be any attempt to connect to the internet, however.

The first time I tried to run Combofix, I didn't receive any messages from CA. I know Task manager was operating again prior to running Combofix (before the PC appeared to freeze). I didn't do anything else after launching Combofix that time, however, so I don't know about the running processes at that time, sorry. And after it restarted, it seemed to run OK, so I'm not sure what happened...

Thanks again for your patience... the PC is already improved - I'm sure we'll get there in the end!!

ComboFix 10-02-03.04 - Manny Hill 06/02/2010 12:10:51.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.397 [GMT 11:00]
Running from: c:\documents and settings\Manny Hill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Manny Hill\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FILE ::
"c:\windows\Gyoguriz.dat"
"c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat"
"c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat"
"c:\windows\Ywopohofusoc.bin"
.

((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-04 08:13 . 2009-08-06 08:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-04 08:13 . 2009-08-06 08:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-13 08:10 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 12:11 . 2010-01-09 12:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-09 12:06 . 2010-01-09 12:08 -------- d-----w- c:\documents and settings\Manny Hill\Local Settings\Application Data\Temp
2010-01-09 12:06 . 2010-01-09 12:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 09:55 . 2007-12-28 07:48 -------- d-----w- c:\documents and settings\Manny Hill\Application Data\Apple Computer
2010-01-14 09:55 . 2009-10-30 10:35 -------- d-----w- c:\program files\iTunes
2010-01-14 00:12 . 2009-10-02 22:59 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 12:09 . 2008-02-02 11:38 -------- d-----w- c:\program files\Google
2009-12-05 12:00 . 2009-01-10 14:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-26 21:06 . 2009-01-10 10:32 111856 ----a-w- c:\windows\system32\isafprod.dll
2009-11-21 15:51 . 2007-04-22 19:43 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 04:04 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-08 68856]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-25 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-28 126976]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"TFncKy"="TFncKy.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-02-28 2049320]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-25 54672]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"NDSTray.exe"="NDSTray.exe" [BU]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-10 374000]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-11-26 271600]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\Manny Hill\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2007-4-28 845584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 05:46 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 07:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [21/10/2008 1:36 PM 107000]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [23/03/2007 7:07 AM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [10/03/2007 9:23 AM 6528]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/08/2008 12:42 PM 72184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/09/2007 10:53 AM 5888]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [10/01/2009 9:32 PM 128240]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/05/2006 7:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/05/2006 6:59 PM 33024]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [28/02/2008 3:04 PM 53032]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/05/2006 6:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [27/03/2007 6:22 AM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/09/2007 10:53 AM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [20/02/2007 6:15 AM 134016]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/09/2008 11:52 AM 1141240]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [21/10/2008 1:36 PM 801272]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2/09/2008 1:53 PM 289272]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 8:19 PM 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23/04/2007 7:20 AM 35968]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [21/10/2008 1:36 PM 203768]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/01/2010 11:06 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 01:34]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 12:06]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 12:06]

2010-02-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:20]

2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{7368AE2D-EF80-4EAC-BF6D-CC483A457ABB}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.news.com.au/heraldsun/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Manny Hill\Application Data\Mozilla\Firefox\Profiles\23pcjfso.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.news.com.au/heraldsun/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 12:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\UmxWnp.Dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(1036)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\WININET.dll
c:\program files\Nero\Nero8\InCD\NBHShx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nero\Nero8\InCD\NBHStr.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-02-06 12:19:12
ComboFix-quarantined-files.txt 2010-02-06 01:19
ComboFix2.txt 2010-02-05 08:45
ComboFix3.txt 2010-02-04 08:31

Pre-Run: 49,988,980,736 bytes free
Post-Run: 49,940,467,712 bytes free

- - End Of File - - BD8E27561BC273F663FA7AE2F2D30933
 

Attachments

·
Registered
Joined
·
426 Posts
Hello jakster,

The log is looking good, still a few things left to do however. Thanks for all your work so far.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

C:\QooBox\ComboFix2.txt

A notepad file will open, copy and paste it in your next reply.

Please repeat the process for this file:

C:\Qoobox\ComboFix-quarantined-files.txt.

Again a notepad file will open, copy and paste it as well.
 

·
Registered
Joined
·
426 Posts
Please visit this site and follow the instructions for uploading this file.

C:\Qoobox\Quarantine\[4]-Submit_2010-02-05_19.17.30.zip

In the Link to topic where this file was requested copy and paste:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/458145-help-cleaning-infected-pc-worm-win32-netsky.html

After you click on Send File you should see:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Let me know if you have problems with that.

=========================================================

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.

    Java(TM) SE Runtime Environment 6

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.
=========================================================

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #14
Hi,

I have submitted the .zip file as you requested. No problems with that. I will continue with the other steps and will give you an update when finished....
 

·
Registered
Joined
·
9 Posts
Discussion Starter #15
Hi,

I have now finished running the Eset online scanner... the contents of the log file (log.txt) is below:

Things are definitely running better now... task manager is back to normal, the windows background settings look like they can re set back to normal, etc. Hopefully, the scan below is OK (it looks promising, I think!)...

Cheers,
Jack.

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=91fc74538a88fe449227eda23ec02d7d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-07 05:31:52
# local_time=2010-02-07 04:31:52 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=4866 16775125 100 100 0 39154128 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=77432
# found=1
# cleaned=0
# scan_time=4608
C:\Qoobox\Quarantine\[4]-Submit_2010-02-05_19.17.30.zip a variant of Win32/Cimag.BM trojan 00000000000000000000000000000000 I
 

·
Registered
Joined
·
426 Posts
Hi jakster,

Well done, your logs are clean!

The only file the online scanner flagged is in Combofix's quarantine folder which we will address now.

=========================================================

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

=========================================================

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster helps prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
    • click the button - enable protection for all unprotected items
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer.
ANTIVIRUS SOFTWARE
It is very important that you keep your Anti Virus and Anti Malware software updated and scan with them on a regular basis. If you do not get regular updates (at least once a week) then you will be open to attacks by new malware that may have been released.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

Please respond to this thread one more time so we can mark this thread as resolved.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #17
Hi there,

I have now followed your last instructions in order to (hopefully) prevent future infections, etc.... (ie: installed latest updates, SpywareBlaster, updated hosts file, etc...). PC is now running so much better... my next step is to clean up PC - unwanted software, run CCCleaner, etc...

Anyhow, thank you so much for your time and patience.. It took a few days but your instructions and the eventual results were excellent. The PC is now virus free - wow! Really, I can't thank you enough for all your efforts!

Kind regards,
Jack.
 
1 - 18 of 18 Posts
Status
Not open for further replies.
Top