Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winspywareprotect and others

Started by Riven98 , Jul 26 2008 10:53 PM

  • Please log in to reply

#16
Cookiegal
Posted 05 August 2008 - 06:39 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Please do the following to delete the ASquared service:

Go to Start - Run type in cmd then click OK. The MSDOS window will be displayed. At the prompt type the following:


SC Delete a2free

Then press Enter.

Reboot and post a new HijackThis log please.
  • 0

Advertisements

#17
Riven98
Posted 07 August 2008 - 10:14 PM

Riven98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
My latest HijackThis log is below. Is it safe to delete the ComboFix (empty) and QooBox folders?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:17 AM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.micros...microsoftupdate
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6558 bytes
  • 0

#18
Cookiegal
Posted 08 August 2008 - 05:57 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Yes but I will give you instructions on how to remove them properly.

Here are some final instructions for you.


Follow these steps to uninstall Combofix and all of its files and components.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


The following program will remove some of the tools we've used and their associated files and backups and then it will delete itself.

Please download OTMoveIt2 by OldTimer from the following link:

http://download.blee...r/OTMoveIt2.exe
  • Save it to your desktop.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt.exe to run it. (Vista users, please right-click on OTMoveIt2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.


Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on StartAll ProgramsAccessoriesSystem Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.


I also recommend downloading SPYWAREBLASTER for added protection.


Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


Go to Start - Run and type in cleanmgr and click OK.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Edited by Cookiegal, 08 August 2008 - 06:00 PM.

  • 0

#19
Riven98
Posted 08 August 2008 - 10:35 PM

Riven98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I had a few issues performing your instructions....
I didn't disable McAfee when uninstalling ComboFix. McAfee "detected" a virus during the uninstall. The log shows it as "C:\327882R2FWJFW\PSEXEC.CFEXE RemAdm-ProcLaunch!171 (Remote Admin Tool)". It looks like McAfee has quarentined this file.
OTMoveIT2 indicated that there were 2 files it cold not delete. I could not see the file names because the window quickly closed when I clicked yes to reboot.
I still have a file, "bug.txt" in my root folder. It's contents are below. What is CF12737.exe? It exists in my c:\windows\system32 folder.


pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Admin\Application Data
cfldr=327882R2FWJFW
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MICHLER6000
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Admin
kmd=CF12737.exe
LOGONSERVER=\\MICHLER6000
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1706
ProgramFiles=C:\Program Files
PROMPT=$
SESSIONNAME=Console
sfxname=C:\Documents and Settings\Admin\My Documents\Malware Removal\ComboFix.exe
system=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MICHLER6000
USERNAME=Admin
USERPROFILE=C:\Documents and Settings\Admin
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS

=============================================


if not defined sfxname goto END

If [/u] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\DOCUME~1\Admin\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\DOCUME~1\Admin\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for "C:\WINDOWS\system32\cmd.exe" to Administrators group was successful

copy /y "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF12737.exe"
1 file(s) copied.

if not exist "C:\WINDOWS\system32\CF12737.exe" catchme -l nul -c "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF12737.exe"

For /F "tokens=*" %g in ("C:\Documents and Settings\Admin\My Documents\Malware Removal\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 1>FileName 2>nul

GREP -Gisqx "FileName=[-[:alnum:]@.]*" FileName || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | Findstr -IVX ComboFix 1>dirname00

Findstr -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf Findstr *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)

If exist "\ComboFix" rd /s/q "\ComboFix"

If exist "\ComboFix" goto :eof

swreg query "hklm\software\microsoft\windows nt\currentversion" /v currentversion 1>osVer00

GREP -sq "currentversion.* 6.0" osVer00 && (Call :Vista ) ||

del osVer00 2>nul

CD ..

Set "comspec=C:\WINDOWS\system32\CF12737.exe"

(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\WINDOWS\system32\CF12737.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd

NirCmd exec hide "C:\WINDOWS\system32\CF12737.exe" /f:off /d /c call Start_.cmd

NirCmd execmd del "\327882R2FWJFW\prep.cmd"

EXIT
  • 0

#20
Cookiegal
Posted 09 August 2008 - 09:38 AM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
You can delete these, they are part of ComboFix:

C:\327882R2FWJFW
C:\CF12737.exe
C:\Qoobox (entire folder)

Also, drag and drop the ComboFix folder into the recycle bin.


Are there any other problems remaining?
  • 0

#21
Riven98
Posted 10 August 2008 - 09:57 PM

Riven98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I don't think so. Thanks again for the help.
  • 0

#22
Cookiegal
Posted 11 August 2008 - 11:03 AM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
You're welcome.

You can also use this utility to try to uninstall ASquared (provided you're not running Office 2007 as then it's not recommended).

http://support.microsoft.com/kb/290301

Edited by Cookiegal, 11 August 2008 - 11:04 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP