Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help - computer doing strange things

Started by rikc , Jan 18 2008 05:25 AM

  • Please log in to reply

#16
loophole
Posted 23 January 2008 - 06:46 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi rik

Can you post a hijack log for me.
  • 0

Advertisements

#17
loophole
Posted 23 January 2008 - 12:52 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Rik

Open notepad and copy/paste the text in RED below into it:

File::
C:\WINDOW\system32\halifax2.dll
C:\WINDOW\system32\halifax1.dll
C:\WINDOW\system32\iiiii.dll
C:\WINDOW\system32\qopnk.dll
C:\WINDOW\system32\vtuvwuu.dll
C:\WINDOW\system32\iiiii.ini
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2BD1E58-5C0D-47B4-9485-906C10256702}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvuvu]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adiras"=-


Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post it and a combofix log
  • 0

#18
rikc
Posted 24 January 2008 - 05:08 AM

rikc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Loophole

I have done what you asked and here is the Combofix Log

ComboFix 08-01-23.2 - rik 2008-01-25 10:42:08.11 - NTFSx86
Running from: C:\Documents and Settings\rik\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rik\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOW\system32\halifax1.dll
C:\WINDOW\system32\halifax2.dll
C:\WINDOW\system32\iiiii.dll
C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\qopnk.dll
C:\WINDOW\system32\vtuvwuu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOW\cookies.ini
C:\WINDOW\system32\etoqegsf.dll
C:\WINDOW\system32\fsgeqote.ini
C:\WINDOW\system32\halifax1.dll
C:\WINDOW\system32\halifax2.dll
C:\WINDOW\system32\iiiii.dll
C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\iiiii.ini2
C:\WINDOW\system32\qopnk.dll
C:\WINDOW\system32\vtuvwuu.dll
.
---- Previous Run -------
.
C:\WINDOW\cookies.ini
C:\WINDOW\system32\avniljlb.ini
C:\WINDOW\system32\bljlinva.dll
C:\WINDOW\system32\dnvcexfx.ini
C:\WINDOW\system32\iiiii.ini
C:\WINDOW\system32\iiiii.ini2
C:\WINDOW\system32\lajkuoin.dll
C:\WINDOW\system32\txlwudpd.dll
C:\WINDOW\system32\xfxecvnd.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-20 08:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOW\NirCmd.exe
2008-01-18 10:35 . 2008-01-18 10:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 19:09 . 2008-01-16 19:09 1 --a------ C:\WINDOW\system32\rc.dat
2008-01-16 19:09 . 2008-01-16 19:09 1 --a------ C:\WINDOW\system32\ps1.dat
2008-01-12 10:51 . 2008-01-12 10:51 <DIR> d-------- C:\WINDOW\LastGood
2008-01-03 07:54 . 2002-08-29 03:41 286,720 --a------ C:\WINDOW\system32\msh263.drv
2008-01-03 07:54 . 2002-08-29 03:41 49,664 --a------ C:\WINDOW\system32\vfwwdm32.dll
2008-01-03 07:54 . 2001-08-17 22:36 45,568 --a------ C:\WINDOW\system32\iyuv_32.dll
2008-01-03 07:54 . 2001-08-17 22:36 8,192 --a------ C:\WINDOW\system32\tsbyuv.dll
2008-01-03 07:53 . 2004-11-24 11:29 647,333 --a------ C:\WINDOW\system32\drivers\Capt905c.sys
2008-01-03 07:53 . 2004-05-07 15:31 24,382 --a------ C:\WINDOW\system32\drivers\Camd905c.sys
2007-12-31 16:45 . 2007-12-31 16:45 93 --a------ C:\WINDOW\wininit.ini
2007-12-31 09:50 . 2007-05-30 12:10 10,872 --a------ C:\WINDOW\system32\drivers\AvgAsCln.sys
2007-12-31 09:00 . 2007-12-31 09:07 <DIR> d-------- C:\WINDOW\LastGood.Tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 07:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 21:11 --------- d-----w C:\Program Files\Oberon Media
2007-12-31 14:17 --------- d-----w C:\Program Files\Lavasoft
2007-11-26 16:52 --------- d-----w C:\Program Files\QuickTime
2007-05-28 11:55 576 ----a-w C:\Program Files\userdata.dat
2007-05-28 11:55 176 ----a-w C:\Program Files\log.txt
2007-02-05 20:00 88 --sh--r C:\WINDOW\system32\D36C1C2D64.sys
2007-02-05 20:00 2,516 --sha-w C:\WINDOW\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_ 8.40.16.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 08:02:40 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 10:41:12 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 08:02:40 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 10:41:13 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 08:02:40 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-25 10:41:13 233,472 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 08:02:40 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 10:41:13 8,192 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 08:02:40 3,207,168 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-25 10:41:14 3,207,168 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 08:02:41 110,592 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 10:41:15 110,592 ----a-w C:\WINDOW\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-20 06:46:22 16,384 -c--a-w C:\WINDOW\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-25 10:49:44 16,384 -c--a-w C:\WINDOW\system32\config\systemprofile\Cookies\index.dat
- 2008-01-20 06:46:22 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-25 10:49:44 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-20 06:46:22 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-25 10:49:44 32,768 -c--a-w C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-20 08:03:16 262,144 ----a-w C:\WINDOW\system32\config\systemprofile\ntuser.dat
+ 2008-01-25 10:41:52 262,144 ----a-w C:\WINDOW\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28C703D0-B4A9-4b2f-9123-CE8294761861}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW\System32\ctfmon.exe" [2002-08-30 04:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-02-22 16:18 1302528]
"PowerBar"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MPFEXE"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00 1005096]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 13:31 296488]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16 1121792]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"BigDogPath"="C:\WINDOW\VM_STI.exe" [2004-12-15 18:01 40960]
"NeroFilterCheck"="C:\WINDOW\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-26 16:52 286720]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOW\System32\CTFMON.EXE" [2002-08-30 04:00 13312]

C:\Documents and Settings\Rik.TRUDI.000\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 23:00:00 111376]

C:\Documents and Settings\rik\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 23:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-20 23:00:00 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 10:50:13 C:\WINDOW\Tasks\RegCure Program Check.job"
- C:\Documents and Settings\rik\Desktop\RegCure\RegCure.exe
"2008-01-03 03:00:00 C:\WINDOW\Tasks\RegCure.job"
- C:\Documents and Settings\rik\Desktop\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 10:52:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
  • 0

#19
rikc
Posted 24 January 2008 - 05:09 AM

rikc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here is Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06, on 2008-01-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOW\system32\HPZipm12.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\wanmpsvc.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOW\VM_STI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOW\System32\wuauclt.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOW\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: Google Module - {28C703D0-B4A9-4b2f-9123-CE8294761861} - halifax2.dll (file missing)
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOW\VM_STI.EXE VIMICRO USB PC Camera L
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOW\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOW\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-c3.orang...va/cfs31248.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponrep...123/csauie1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://tiscaliuk.obe...aploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOW\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOW\wanmpsvc.exe

--
End of file - 8118 bytes
  • 0

#20
loophole
Posted 24 January 2008 - 11:13 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Rikc

That looks much better, how is the computer behaving now?
  • 0

#21
rikc
Posted 24 January 2008 - 02:21 PM

rikc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Loophole

I have been connected to internet for about 10 mins and so far no pop ups :)

Thanks for your help.

What should I do to prevent this happening again. Your advice would be appreciated.

Thanks.
  • 0

#22
loophole
Posted 25 January 2008 - 04:33 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello

Malware is everchanging. I will give you some preventative measures. Malware is getting so bad now we have to make sure people have the recovery console installed. Its the only way to clear some of the nasty new malware thats out. It also is another option incase the operating system fails, a fall back if you will.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#23
rikc
Posted 26 January 2008 - 08:11 AM

rikc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Loophole

Here is the log you asked me to do.


winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOW="Microsoft Windows XP Home Edition" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


I will not turn computer off until you get back to me. By the way computer is running fine, no popups or strange things happening. Thank you very much.
  • 0

#24
loophole
Posted 26 January 2008 - 05:42 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
That is perfect :)

As far as preventative things. The apps you are using are respected and well known.

I'm not a huge mcafee fan but its because its a big program that uses alot of resources, Not because it doesnt work. The virus you had is very common. I would guess 80% of the logs we get right now are this trojan. AV vendors have had a tough time with this one since it came out.

Please rescan with Hijackthis and place a check next to the following entries:

O2 - BHO: Google Module - {28C703D0-B4A9-4b2f-9123-CE8294761861} - halifax2.dll (file missing)

Now click "Fix Checked" and close Hijackthis

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here

Let me know if you have any questions :)
  • 0

#25
rikc
Posted 27 January 2008 - 02:40 AM

rikc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Loophole

I have done what you have said. Everything seems to be ok now, many many thanks. :)

My McAfee subscription has expired. I was thinking about putting another programme on but not sure which one (was thinking about Norton 360). Is it possible to have the same level of security as, lets say, McAfee, with the free downloads that are available. I have had a look at the article that you have given me a link for and will download the list of Must have software.

Many thanks for your help it is very much appreciated.
  • 0

Advertisements

#26
loophole
Posted 27 January 2008 - 06:21 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I wouldnt download spybot and Adaware , but the rest are fine. You can get good protection from the free programs, the only difference is you have to update them manually. I would shy away from norton for the same reason I dont like Mcafee. NOD32 is considered the best by most of us. Theres a free 30 day trial and its not expensive compared to most pay anti virus programs Plus it wont hog resources like Mcafee and Norton. Let me know what you think if you try it
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP