[chou05]

sry for the late response Oct,
obove are my logs.

i've realized my cousin have installed a couple of pc games (counter strike and unreal tournament) while i was away from my desktop. i'll make sure to have him not mess around our healing process anymore if anything.
besides the taskbar millitary time, i've noticed video streaming such as youtube seem to take much longer to view

[Advertisements]

Hello chou05,

Those logs don't look too bad.

Before we delete it can you tell me if you know what this file is?

C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe

Could you perform another scan with MBAM, but only this time make sure that Perform Full Scan is selected prior to scanning.

[Octagonal]

Hello chou05,

Those logs don't look too bad.

Before we delete it can you tell me if you know what this file is?

C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe

Could you perform another scan with MBAM, but only this time make sure that Perform Full Scan is selected prior to scanning.

[chou05]

Malwarebytes' Anti-Malware 1.19
Database version: 901
Windows 5.1.2600 Service Pack 2

10:50:16 PM 03/07/2008
mbam-log-7-3-2008 (22-50-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 119089
Time elapsed: 30 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP598

\A0567771.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP599

\A0567947.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP599

\A0567965.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP601

\A0568025.dll (Trojan.Vundo) -> No act

[chou05]

C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe
its a password recovery tool recogmended to me, its not installed - can be dispensable

i have not taken action to the scanned items above in the log reported. - was not vundo application a recogmended download by you?

[Octagonal]

Hello chou05,

Sorry for the delay, I too have had some work related issues.

Those infected files are quarantined in Housecall and from an earlier scan of Combofix which we can remove shortly, they are not doing any harm there.

was not vundo application a recogmended download by you?

That is correct, but there isn't anything there to indicate any problem with the VundoFix application.

I am not sure that the video streaming speed is directly related to the issues here.

We will have to fix the 24 hour time display manually.

• Click the Start button then Control Panel then select Regional and Language Options icon.
• With the Regional Options tab selected click the Customise button and this will open an additional settings box.
• Select the Time tab and ensure that in the Time format: drop down list is set to h:mm:ss tt (make sure that the "h" is not capitalised).
• Click Ok to accept the changes and close any open program windows.

You also have infected files in your System Restore points, so let's reset those points to remove those files.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe

Folder::
C:\Documents and Settings\Owner\.housecall6.6\Quarantine

Driver::

Registry::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log
• Let me know how the computer is behaving. (Did the time display stay as it should etc.)

[chou05]

the timefix worked like a charm, it was a easier fix than i expected. thanks

although when proceding to the combofix instruction, my combofix said it expired and the icon even disapeared - is this normal?

[Octagonal]

although when proceding to the combofix instruction, my combofix said it expired and the icon even disapeared - is this normal?

Combofix has a routine built into it so that if the version that you have is more than several days old then what you experienced will occur. We can remove the files manually.

Using Windows Explorer, navigate to the following folder and delete all the files inside.

C:\Documents and Settings\Owner\.housecall6.6\Quarantine

Also delete the following file.

C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe

Could you please scan with Deckards System Scanner and post the results as I should be able to see what I am looking for in that log.

[chou05]

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-07 21:27:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:42 PM, on 07/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EA41871-B967-4DD5-BBD0-67047428FE88}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: U.S. Robotics 802.11g Wireless USB Adapter Service (U.S. Robotics 802.11g Wireless USB Adapter) - Unknown owner - C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe

--
End of file - 6092 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-06-29 00:39:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-29 00:39:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 00:39:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 10:39:37 0 d-------- C:\UT2004
2008-06-21 10:14:59 0 d-------- C:\Program Files\Valve
2008-06-18 19:55:31 98962624 --a------ C:\RegBU.reg


-- Find3M Report ---------------------------------------------------------------

2008-06-21 17:16:20 0 d-------- C:\Program Files\Starcraft
2008-06-21 10:13:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 22:35:51 0 d-------- C:\Program Files\Java
2008-06-04 22:34:56 0 d-------- C:\Program Files\Common Files
2008-06-04 22:34:56 0 d-------- C:\Program Files\Common Files\Java
2008-06-01 12:13:37 0 d-------- C:\Program Files\Trend Micro
2008-05-27 23:23:55 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 23:08:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 06:14:34 0 d-------- C:\Program Files\Warcraft III
2008-05-19 20:26:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-11 16:36:23 201728 --a------ C:\WINDOWS\system32\im_screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-04-13 15:58:26 2539 --a------ C:\WINDOWS\unins000.dat
2008-04-13 15:46:37 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" []
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [10/03/2004 08:57 PM]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [20/07/2005 12:55 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [18/11/2007 06:06 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08/02/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 12:00 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [13/11/2006 02:39 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-07 21:35:40 ------------

[Octagonal]

Hello chou05,

Congratulations. Your log appears to be clean.

I don't see anything more in those logs that would be causing any concern. If you are still having issues with slow video streaming then may I suggest that you start a fresh topic in the Windows forum.

We need to clean up a few things before we finish.

Using Windows Explorer, please remove the following files:

C:\RegBU.reg

and these files if you still have them on your desktop:

CF-querySvc.exe
querySvc.exe

Please download OTCleanIt by OldTimer and save it to your desktop.

Double click on OTCleanIt.exe to open the application then click on the CleanUp! button to run the CleanUp tool.

The CleanUp tool will run and remove an assortment of Malware tools that we installed to help clean your computer. The CleanUp tool will also delete itself upon completion.

To reset your restore points, please note that you will need to ensure that you have logged into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please follow these Tips to prevent a possible infection or re-infection.

You have installed MalwareBytes Anti-Malware so I recommend that you keep that updated and scan on a regular basis to help keep your computer clean of any nasties.

Download, install AND update the following free programs. It is important to keep all anti-malware programs updated. Please update at least once a week.

• Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

You should also have a good firewall. Here are 2 free ones available for personal use:

• Comodo Firewall
• ZoneAlarm

and a good antivirus (these are also free for personal use):

• Avira AntiVir Personal
• Avast Home Edition

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

[Octagonal]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.