Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Wondering why my pc is becoming slower since a recent format and how t


  • This topic is locked This topic is locked

#16
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Basically what you have is a lop infection, and we pretty much stopped it on the first fix with NoLop so now we are just trying to identify, and clean the rest up. :)
  • 0

Advertisements


#17
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
its going alot faster now on 76% and its found nothing so far lol! :)
  • 0

#18
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
thats a good thing :)
  • 0

#19
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
i'll let you know how everything is going when its finished :)
  • 0

#20
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
ok
  • 0

#21
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hiyaa agenn.

Its finished (finally) :)
and everything fine

Thankyou so much for your time.

its very mucbh appreciated !! :)

your a pro =]
  • 0

#22
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
oh we are not done yet, ... we have a few things to clean up :)


how is everything running?
  • 0

#23
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
very good and fast ! =]
  • 0

#24
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi allybabey11,

Lets get rid of the folders that had the infection in them, and if your logs come back clean I will give you my prevention speech witch will have some nice tips and tricks for staying clean. :)


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Documents and Settings\Administrator\Application Data\About Nurb
C:\Documents and Settings\All Users\Application Data\About Team Info Sect
C:\Program Files\Circle Developement
C:\Program Files\about nurb
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"info sect setup online"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#25
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
heres the combo fix log ... (ive got to go off the pc soon ) :) :)

ComboFix 08-06-20.4 - Administrator 2008-06-29 22:18:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.lnk
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 19:53 . 2008-06-29 19:53 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-29 17:13 . 2008-06-29 17:13 <DIR> d-------- C:\WINDOWS\Sun
2008-06-29 17:10 . 2008-06-29 17:11 <DIR> d-------- C:\Program Files\Google
2008-06-29 17:09 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-29 17:08 . 2008-06-29 17:09 <DIR> d-------- C:\Program Files\Java
2008-06-29 17:00 . 2008-06-29 17:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-29 14:37 . 2008-06-29 14:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 14:37 . 2008-06-29 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 14:37 . 2008-06-29 14:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-29 14:37 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-29 14:37 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-29 14:25 . 2008-06-29 14:26 <DIR> d-------- C:\NoLopBackups
2008-06-28 21:51 . 2008-06-28 21:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 17:42 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-28 17:42 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-28 10:50 . 2008-06-28 10:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-26 22:21 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-26 14:14 . 2008-06-28 23:29 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-26 14:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-26 14:10 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-26 14:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-26 12:26 . 2008-06-26 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-06-26 12:25 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-06-26 12:25 . 2004-08-04 00:56 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-06-26 12:25 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-06-26 12:25 . 2004-08-04 00:56 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-06-26 12:25 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-06-26 12:25 . 2004-08-04 00:56 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2008-06-26 12:24 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-06-26 12:24 . 2004-08-04 00:56 130,048 --a--c--- C:\WINDOWS\system32\dllcache\ksproxy.ax
2008-06-26 12:24 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-06-26 12:24 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-06-26 12:24 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-06-26 12:24 . 2004-08-04 00:56 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-06-26 12:24 . 2004-08-04 00:56 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2008-06-26 12:24 . 2004-08-04 00:56 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax
2008-06-26 12:24 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-06-26 12:24 . 2004-08-04 00:56 4,096 --a--c--- C:\WINDOWS\system32\dllcache\ksuser.dll
2008-06-26 12:23 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-06-26 12:23 . 2001-10-17 01:23 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2008-06-26 12:18 . 2008-06-26 12:18 <DIR> d-------- C:\Program Files\ArcSoft
2008-06-26 12:10 . 2008-06-26 12:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-26 11:59 . 2008-06-26 11:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Samsung
2008-06-26 11:57 . 2003-02-21 18:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-26 11:57 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-06-26 11:49 . 2008-06-26 11:49 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-06-26 11:49 . 2005-08-30 01:49 94,000 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2008-06-26 11:49 . 2005-08-30 01:47 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2008-06-26 11:49 . 2005-08-30 01:49 8,336 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2008-06-26 11:49 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2008-06-26 11:49 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2008-06-26 11:49 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2008-06-26 11:49 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2008-06-26 11:48 . 2008-06-26 11:48 <DIR> d-------- C:\Program Files\Samsung
2008-06-26 11:48 . 2008-06-26 12:18 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-26 11:48 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-06-26 11:41 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-26 11:37 . 2008-06-26 12:17 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-26 11:25 . 2008-06-26 11:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-25 09:29 . 2008-06-25 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-24 19:09 . 2008-06-29 14:28 8,723 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-24 19:08 . 2008-06-29 13:58 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-24 19:08 . 2008-06-24 19:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-24 19:08 . 2008-06-24 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-24 19:08 . 2008-06-28 18:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-06-24 19:05 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-06-24 18:57 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-24 18:57 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-24 18:57 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-24 18:57 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-24 18:57 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-24 18:57 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-24 18:55 . 2008-06-24 18:56 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-24 18:55 . 2008-06-24 18:57 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-24 18:54 . 2008-06-29 19:53 <DIR> d-------- C:\Program Files\McAfee
2008-06-24 18:37 . 2008-06-24 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-24 18:22 . 2008-06-24 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABOUT TEAM INFO SECT
2008-06-24 18:21 . 2008-06-24 18:21 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-06-24 18:21 . 2008-06-24 18:21 <DIR> d-------- C:\Program Files\Circle Developement
2008-06-24 18:21 . 2008-06-24 18:21 <DIR> d-------- C:\Program Files\about nurb
2008-06-24 18:21 . 2008-06-24 18:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\about nurb
2008-06-24 18:18 . 2008-06-24 18:19 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-06-24 18:18 . 2008-06-24 18:18 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-06-24 18:17 . 2008-06-24 18:21 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-06-24 18:16 . 2008-06-24 18:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-24 18:02 . 2008-06-24 18:13 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-24 18:01 . 2008-06-24 18:15 <DIR> d-------- C:\Program Files\Windows Live
2008-06-24 18:00 . 2008-06-24 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-24 10:01 . 2001-08-17 06:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-06-24 10:00 . 2004-08-03 15:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 00:26 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 17:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( [email protected]_16.05.27.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 22:02:19 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-30 02:54:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-29 22:02:19 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-30 02:54:18 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe" [2008-06-29 17:11 162744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"info sect setup online"="C:\Documents and Settings\All Users\Application Data\ABOUT TEAM INFO SECT\noun logo.exe" [2008-06-25 11:50 2163712]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 14:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 0151421214794441mcinstcleanup;McAfee Application Installer Cleanup (0151421214794441);C:\WINDOWS\TEMP\015142~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 04:42:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-25 01:56:31 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-25 01:56:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 22:22:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-06-29 22:25:37
ComboFix-quarantined-files.txt 2008-06-30 05:25:00
ComboFix2.txt 2008-06-29 23:06:38

Pre-Run: 4,350,627,840 bytes free
Post-Run: 4,399,312,896 bytes free

177 --- E O F --- 2008-06-29 06:31:35



and hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:21 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\CF10285.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [info sect setup online] C:\Documents and Settings\All Users\Application Data\ABOUT TEAM INFO SECT\noun logo.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O23 - Service: McAfee Application Installer Cleanup (0151421214794441) (0151421214794441mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\015142~1.EXE (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 5578 bytes
  • 0

Advertisements


#26
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ive got to go.. sorry.. il be back in 2 days ..
reply and ill see to it when i get back
to see what i got to do next ..
thankyou so far its alot faster
see you soon
  • 0

#27
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Thats fine, its pretty much fixed just clean up to do.... see you in two days :)
  • 0

#28
allybabey11

allybabey11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
hey i sneaked on hahaha :)
  • 0

#29
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
well let me see if I can come up with some instructions real quick... :)
  • 0

#30
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi allybabey11,

This is it last bit of instructions, and we are done. :)


OTMoveIt2 by OldTimer


  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Administrator\Application Data\About Nurb
    C:\Documents and Settings\All Users\Application Data\About Team Info Sect
    C:\Program Files\Circle Developement
    C:\Program Files\about nurb
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

===============================================

Fix with HijackThis


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [info sect setup online] C:\Documents and Settings\All Users\Application Data\ABOUT TEAM INFO SECT\noun logo.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================


ComboFix Removal
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

===============================================

OTCleanIt



Download OTCleanit
Save it to your Desktop.

  • Double-click on OTCleanIt.exe to run
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You may be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


===============================================

This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have. I know you have some of the listed items so just choose what you need. I just like to post them incase you ever need them or want to change them.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Posted Image 1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Posted Image 4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP