Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Heur Exploit Script virus looping to blue screen on start up


  • This topic is locked This topic is locked

#136
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Here is the first report.


Volume in drive C has no label.
Volume Serial Number is D428-716D

Directory of C:\

03/05/2010 11:33 <DIR> $AVG
20/06/2008 14:38 <DIR> cabs
14/01/2006 19:56 <DIR> CMPNENTS
10/05/2010 17:55 <DIR> d4e177373905a2ebff59a5958d
19/06/2008 15:36 <DIR> Documents and Settings
14/01/2006 13:09 <DIR> Drivers
23/06/2008 10:01 <DIR> DriversApps
19/06/2008 15:49 <DIR> Intel
29/12/2010 02:57 <DIR> Kaspersky Rescue Disk 10.0
08/05/2010 09:41 <DIR> lexmark
08/05/2010 09:47 <DIR> logs
14/01/2011 20:53 <DIR> Program Files
15/01/2011 22:17 <DIR> Qoobox
08/01/2011 15:32 <DIR> RECYCLER
23/06/2008 10:14 <DIR> rm
03/01/2011 20:03 <DIR> System Volume Information
16/01/2011 03:21 <DIR> WINDOWS
31/12/2010 21:25 <DIR> _OTL
0 File(s) 0 bytes
18 Dir(s) 144,976,470,016 bytes free


Here is the report from mbam, nothing found.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5529

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/01/2011 07:52:19
mbam-log-2011-01-16 (07-52-19).txt

Scan type: Quick scan
Objects scanned: 142318
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I did have mbam running on this PC when it first became infected
  • 0

Advertisements


#137
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
You can remove the Qoobox folder. Make sure you install an antivirus product such as AVAST if you are browsing the Internet. How is the computer doing?

Lets check for rootkits just to make sure there are no remnants of the infection.

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#138
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
I have downloaded the file and disconnected the internet but when I try to run it I get the error message C:\hskrby9y.exe is not a valid Win32 application.

I am running this on Windows XP.
  • 0

#139
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
I believe the system still infected.

Please follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to MyPoppy as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on MyPoppy.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" (or C:\MyPoppy.txt) .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
  • 0

#140
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
I have successfully ran Combofix under the new name MyPoppy.exe

It has installed the recovery console.

Here is the report;


ComboFix 11-01-10.04 - default 17/01/2011 22:42:47.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1634 [GMT 0:00]
Running from: C:\MyPoppy.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-17 21:44 . 2011-01-17 21:44 120951 ----a-w- C:\hskrby9y.exe
2011-01-16 07:48 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-16 07:48 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-15 16:29 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-15 16:28 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\default\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 319488 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-01-14 08:45 . 2011-01-14 08:45 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2011-01-14 08:45 . 2007-02-25 06:05 2203520 ----a-w- c:\windows\system32\drivers\NETw4x32.sys
2011-01-14 08:45 . 2007-02-15 12:31 2756608 ----a-w- c:\windows\system32\NETw4r32.dll
2011-01-14 08:45 . 2007-02-15 12:30 679936 ----a-w- c:\windows\system32\NETw4c32.dll
2011-01-08 17:14 . 2011-01-08 17:15 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-01-08 02:35 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-29 22:20 . 2010-12-29 22:20 -------- d-s---w- c:\documents and settings\Administrator\IETldCache
2010-12-29 22:19 . 2010-10-23 17:55 553984 ----a-r- C:\OTLPE.exe
2010-12-29 22:18 . 2010-12-31 21:25 -------- d-----w- C:\_OTL
2010-12-26 07:26 . 2010-12-26 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-12-25 16:13 . 2010-12-29 02:57 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-06-19 22:15 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-06-19 22:17 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2008-06-19 22:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-06-19 22:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-06-19 22:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-06-19 22:15 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-06-19 22:17 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-06-19 22:13 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-06-19 22:19 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\default\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-23 202256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"SMSERIAL"="sm56hlpr.exe" [2006-01-10 544768]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\default\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 05:40 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXKOAAOD
*Deregistered* - pxkoaaod
.
Contents of the 'Scheduled Tasks' folder

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:40]

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:40]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3604336360-109894556-3801463734-1006Core.job
- c:\documents and settings\default\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 15:03]

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3604336360-109894556-3801463734-1006UA.job
- c:\documents and settings\default\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 15:03]

2011-01-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3604336360-109894556-3801463734-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2011-01-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3604336360-109894556-3801463734-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-24 c:\windows\Tasks\User_Feed_Synchronization-{2E16A703-F1B3-4340-B56D-A79C454F9DE3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 22:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-01-17 22:45:35
ComboFix-quarantined-files.txt 2011-01-17 22:45

Pre-Run: 144,860,549,120 bytes free
Post-Run: 144,878,952,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 8663BD45A4A075B9FC11C65654B4C771
  • 0

#141
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Wonder why is running under a - REDUCED FUNCTIONALITY MODE -. Please run the program once again and post its resulting report.
  • 0

#142
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
I have run it again, here is the new log:


ComboFix 11-01-17.01 - default 17/01/2011 23:41:15.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1586 [GMT 0:00]
Running from: C:\MyPoppy.exe
.

((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-17 21:44 . 2011-01-17 21:44 120951 ----a-w- C:\hskrby9y.exe
2011-01-16 07:48 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-16 07:48 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-15 16:29 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-15 16:28 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\default\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2011-01-14 08:45 . 2011-01-14 08:45 319488 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-01-14 08:45 . 2011-01-14 08:45 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-01-14 08:45 . 2011-01-14 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2011-01-14 08:45 . 2007-02-25 06:05 2203520 ----a-w- c:\windows\system32\drivers\NETw4x32.sys
2011-01-14 08:45 . 2007-02-15 12:31 2756608 ----a-w- c:\windows\system32\NETw4r32.dll
2011-01-14 08:45 . 2007-02-15 12:30 679936 ----a-w- c:\windows\system32\NETw4c32.dll
2011-01-08 17:14 . 2011-01-08 17:15 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-01-08 02:35 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-29 22:20 . 2010-12-29 22:20 -------- d-s---w- c:\documents and settings\Administrator\IETldCache
2010-12-29 22:19 . 2010-10-23 17:55 553984 ----a-r- C:\OTLPE.exe
2010-12-29 22:18 . 2010-12-31 21:25 -------- d-----w- C:\_OTL
2010-12-26 07:26 . 2010-12-26 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-12-25 16:13 . 2010-12-29 02:57 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-06-19 22:15 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-06-19 22:17 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2008-06-19 22:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-06-19 22:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-06-19 22:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-06-19 22:15 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-06-19 22:17 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-06-19 22:13 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-06-19 22:19 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\default\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-23 202256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"SMSERIAL"="sm56hlpr.exe" [2006-01-10 544768]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\default\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 05:40 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXKOAAOD
*Deregistered* - pxkoaaod
.
Contents of the 'Scheduled Tasks' folder

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:40]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:40]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3604336360-109894556-3801463734-1006Core.job
- c:\documents and settings\default\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 15:03]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3604336360-109894556-3801463734-1006UA.job
- c:\documents and settings\default\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 15:03]

2011-01-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3604336360-109894556-3801463734-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2011-01-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3604336360-109894556-3801463734-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2011-01-17 c:\windows\Tasks\User_Feed_Synchronization-{2E16A703-F1B3-4340-B56D-A79C454F9DE3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-01-17 23:44:19
ComboFix-quarantined-files.txt 2011-01-17 23:44
ComboFix2.txt 2011-01-17 22:45

Pre-Run: 144,870,100,992 bytes free
Post-Run: 144,849,326,080 bytes free

- - End Of File - - 07D24333F484A2C51EE01A9D2712CDA1
  • 0

#143
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
How is the computer doing? I see no Antivirus installed. It is important to have an antivirus is installed. I recommend AVAST.
  • 0

#144
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
The computer seems ok. I have only been using it on your instructions and not for browsing but I have now downloaded Avast and the scan did not find any virus.
  • 0

#145
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Congratulations, Jan1959 ;)

All what is left is to perform some housekeeping.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix (MyPoppy) to Uninstall and click on it. That should remove the application.
Launch C:\OTLPE.exe and click on the Cleanup button. Follow the prompts.

Manually remove any tool left.

Create a Restore point:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! :D
  • 1

Advertisements


#146
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
So sorry, once last thing - I have never had a clean up button on my OTLPE, I have seen a picture of where it should be but it has never been there.
Should I try downloading it again to see if it appears?
  • 0

#147
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
I was also under that impression, but it isn't.

Please download OTC by OldTimer.
  • Save it to your desktop.
  • Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
  • This will delete the tools we used in the removal of malware, including this program.
  • If you are asked to reboot to complete the removal process then please do so
Upon restart, manually remove any remaining tools.
  • 1

#148
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Thank you so much JSntgRvr for all your help.

76 posts and nearly 3 weeks of work to repair my PC.

You are a star! :D
  • 0

#149
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
You are Welcome!
  • 0

#150
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Hi,
Sorry to bother you again but I cannot get any sound up on the pc. There is no icon on the task bar and when I look at the device manager the only thing in the properties box for sound, video and game controllers is the general tab - no properties or details.

Would you be able to advise me or do I need to start a new post?

Many thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP