TechSpot

8 step Malware Removal

By DENNISEPT
Jun 8, 2010
  1. All of my searches end up being redirected. I've followed the 8 steps and here are my logs.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Dennie the system had an assortment of malware! And yes, you Hosts have been hijacked. You are missing one log from DDS named Attach.txt Please locate that on your system, follow the directions to zip is and leave it on next reply.
    =======================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    And also leave this report in next reply. I will be preparing some script for you but need these two logs first.
     
  3. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    I've run Combofix and provided the 2 logs.
     

    Attached Files:

  4. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    8 steps malware

    Soory about the last post. Here is the file, zipped.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. Let's start off with this:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\SpyZooka\spyzooka.exe
    Folder::
    
    DDS:
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    uRun: [SpyZooka] c:\program files\spyzooka\SpyZookaLdr.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    SEH: SpyZooka Service Hook: {d468bce5-d18e-49a4-8ea7-34bd583659d5} - c:\progra~1\spyzooka\spyguard.dll
    Hosts: 84.16.244.54 www.google.com
    Hosts: 84.16.244.54 us.search.yahoo.com
    Hosts: 84.16.244.54 uk.search.yahoo.com
    Hosts: 84.16.244.54 search.yahoo.com
    Hosts: 84.16.244.54 www.google.com.br
    Hosts: 84.16.244.54 www.google.it
    Hosts: 84.16.244.54 www.google.es
    Hosts: 84.16.244.54 www.google.co.jp
    Hosts: 84.16.244.54 www.google.com.mx
    Hosts: 84.16.244.54 www.google.ca
    Hosts: 84.16.244.54 www.google.com.au
    Hosts: 84.16.244.54 www.google.nl
    Hosts: 84.16.244.54 www.google.co.za
    Hosts: 84.16.244.54 www.google.be
    Hosts: 84.16.244.54 www.google.gr
    Hosts: 84.16.244.54 www.google.at
    Hosts: 84.16.244.54 www.google.se
    Hosts: 84.16.244.54 www.google.ch
    Hosts: 84.16.244.54 www.google.pt
    Hosts: 84.16.244.54 www.google.dk
    Hosts: 84.16.244.54 www.google.fi
    Hosts: 84.16.244.54 www.google.ie
    Hosts: 84.16.244.54 www.google.no
    Hosts: 84.16.244.54 www.google.de
    Hosts: 84.16.244.54 www.google.fr
    Hosts: 84.16.244.54 www.google.co.uk
    Hosts: 84.16.244.54 www.bing.com
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpyZooka"=-
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"=-
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2
    
    Driver::
    SServ
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Remind me to have you reset the Host files.
     
  6. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    Malware removal

    ComboFix 10-06-08.02 - Dennis 08/06/2010 20:13:57.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.89 [GMT -7:00]
    Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dennis\Desktop\CFScript.txt,.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\program files\SpyZooka\spyzooka.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\SpyZooka\spyzooka.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
    .

    2010-06-08 14:04 . 2010-06-08 14:04 -------- d-----w- c:\documents and settings\Dennis\Application Data\Malwarebytes
    2010-06-08 14:03 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-08 14:03 . 2010-06-08 14:03 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-08 14:03 . 2010-06-08 14:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-08 14:03 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-07 19:54 . 2010-06-07 19:54 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-06-02 15:56 . 2010-06-02 15:56 29512 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
    2010-06-02 15:56 . 2010-06-02 15:56 242896 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-09 03:23 . 2009-01-26 18:38 -------- d-----w- c:\program files\SpyZooka
    2010-06-07 22:48 . 2009-01-26 20:22 -------- d-----w- c:\documents and settings\Dennis\Application Data\Spyzooka
    2010-06-02 15:55 . 2010-03-31 14:05 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-02 15:55 . 2008-09-09 18:30 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-04-01 18:26 . 2010-04-01 18:26 1357339 -c--a-w- c:\documents and settings\All Users\SPL84.tmp
    2010-03-31 14:08 . 2008-09-09 18:30 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-31 14:08 . 2008-09-09 18:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-15 14:44 . 2010-03-15 14:44 45056 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-15 14:44 . 2010-03-15 14:44 45056 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-15 14:44 . 2010-03-15 14:44 49152 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-15 14:44 . 2010-03-15 14:44 45056 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-15 14:44 . 2010-03-15 14:44 45056 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-15 14:44 . 2010-03-15 14:44 308808 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-15 14:44 . 2010-03-15 14:44 14848 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-03-15 14:44 . 2010-03-15 14:44 40960 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-15 14:44 . 2010-03-15 14:44 341600 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-15 14:41 . 2007-08-28 00:54 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-03-15 14:41 . 2007-08-28 00:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
    .

    ------- Sigcheck -------

    [-] 2008-07-04 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    [7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
    [-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-04-03 02:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Nexus Radio"="c:\program files\Nexus Radio\Nexus Radio.exe" [2010-03-12 4699136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
    "lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
    "QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\qttask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-04-15 952768]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-03-31 14:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT LGE]
    2007-10-12 00:17 81920 -c--a-w- c:\program files\Common Files\Portrait Displays\Shared\DT_Startup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    2007-05-07 18:10 312240 -c--a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-04-13 14:07 69632 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
    2007-07-16 20:54 25264 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
    2007-07-16 20:54 434864 ----a-w- c:\program files\Lexmark 3500-4500 Series\lxdimon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
    2006-11-14 21:22 121640 -c--a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nexus Radio]
    2010-03-12 05:37 4699136 ----a-w- c:\program files\Nexus Radio\Nexus Radio.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2007-04-19 04:26 7700480 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2007-04-19 04:26 86016 -c--a-w- c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2007-04-19 04:26 1626112 -c--a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 07:08 417792 ----a-w- c:\program files\MpcStar\Codecs\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaveDate]
    2004-10-21 21:01 421376 -c--a-w- c:\windows\SaveStartDate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-12-05 04:45 136600 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-15 14:41 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/09/2008 11:30 AM 216200]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [31/03/2010 7:05 AM 242896]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [31/03/2010 7:05 AM 308064]
    R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
    R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [21/03/2010 7:18 AM 115312]
    S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [06/02/2008 11:20 AM 99248]
    S2 LxrSII1d;Secure II Driver;\??\c:\windows\system32\Drivers\LxrSII1d.sys --> c:\windows\system32\Drivers\LxrSII1d.sys [?]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [23/06/2008 6:34 PM 16512]
    S3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);c:\windows\system32\drivers\vacs2xkd.sys [23/06/2008 6:34 PM 42880]
    S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [20/01/2009 3:25 PM 14336]
    S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [20/01/2009 3:25 PM 18432]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

    2010-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-1606980848-854245398-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

    2010-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-1606980848-854245398-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

    2010-03-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2009-04-03 02:50]

    2009-05-26 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-25 05:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
    uStart Page = hxxp://sympatico.msn.ca/
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: microsoft.com\office
    Trusted Zone: msn.ca\sympatico
    Trusted Zone: windowsupdate.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
    FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\x8hxm72y.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-08 20:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-06-08 20:30:40
    ComboFix-quarantined-files.txt 2010-06-09 03:30
    ComboFix2.txt 2010-06-08 18:34

    Pre-Run: 20,323,950,592 bytes free
    Post-Run: 20,359,860,224 bytes free

    - - End Of File - - CBB6E0B2EF2468D5E269D9687E2997C3


    Reminder to have you have me reset the host files.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\Ask.com\UpdateTask.exe
    Folder::
    c:\program files\SpyZooka
    c:\documents and settings\Dennis\Application Data\Spyzooka
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"=-
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Uninstall:
    1.Click Start > Settings > Control Panel.
    2.Next, open Add/Remove Programs and remove if listed:
    [Ask.com
    SpyZooka


    Delete program folders:
    1. Windows key + E for Windows Explorer> My Computer> Double click Local Drive (C)
    2. Double click Programs> find the following and do a right click> Delete on each folder:
    Ask
    Spyzooka

    Exit Windows Explorer
    ===============================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Follow with download of HijackThis Installer HERE and save to the desktop:

    1. Note: Choose v2.0.4
    2. Double-click on HJTInstall.exe to run the program.
    3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    4. Accept the license agreement by clicking the "I Accept" button.
    5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    6. Click "Save log" to save the log file and then the log will open in notepad.
    7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    8. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Leave new Combofix report, Eset scan and HijackThis on next reply.
     
  8. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    8 steps malware removal

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:02:45 AM, on 09/06/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
    C:\WINDOWS\system32\lxdicoms.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Nexus Radio\Nexus Radio.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Nexus Radio] C:\Program Files\Nexus Radio\Nexus Radio.exe -0
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://sympatico.msn.ca
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://secure.learning.gov.ab.ca/edarts.internet/includes/smsx.cab
    O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://64.114.25.196/Vernon/cabfile/mgaxctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188480287067
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188480276792
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
    O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
    O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 10406 bytes
     

    Attached Files:

  9. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    I was supposed to remind you to have me reset the Host files.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We'll do that- but let's get the system clean first. It is interesting to note that your visit to PC World to read or watch or download Privacy Watch Make Sure Your Old Computer Tells No Tales.htm also infected several files with the Win32/Allaple.Gen worm There is some irony in that I think! And it's on the E Drive. If that is your flash drive, we will need to disinfect that also.

    This is a A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
    . If this system is one of several on a network, you will need to check the others for the Worm.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      E:\Personal\Receipt for your Payment to Right Track Associates Inc..htm	
      E:\SOFTWARE PROGRAMS\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales.htm	
      E:\MY DOCUMENTS\Software\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales_files\article;ch=soho;sec=privacy_watch;pc=1227;c=1529;c=1214;pos=leader;tile=1;sz=728x90;dcopt=ist;ord=1185725;.htm	
      E:\MY DOCUMENTS\Software\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales_files\superstitial;pos=unicast;sz=1x1;tile=9;ord=314660091.htm	
      E:\MY DOCUMENTS\Software\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales_files\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales.htm	
      E:\MY DOCUMENTS\My Pictures\100_0298_jpg.htm	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================
    Are you currently using a Lexar USB flash drive? Is the driver current? It has been questioned in both Combofix logs. IF you are not using it, I will include it in a short script for you to run.
    (S2 ;Secure II Driver;\??\ --> c:\windows\system32\drivers\LxrSII1d.sys [?])
     
  11. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    When I try to download this program,OTMovit by Old Timer, I get a security warning that it is unsafe. Should I still download and install it?

    The 'E' drive is an external hard drive.

    I now longer us any Lexar flash drives.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Dennis, what is giving you this security warning? The site is clean. You need to run OTM to remove the malware.
    If E is the external hard drive, it is infected now. Those file are all on the E drive.

    I can remove the Lexar driver with script.Please run OTM and leave the log it produces so I can make sure the malware has been moved.
     
  13. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    OTM Log

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    E:\Personal\Receipt for your Payment to Right Track Associates Inc..htm moved successfully.
    E:\SOFTWARE PROGRAMS\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales.htm moved successfully.
    E:\MY DOCUMENTS\Software\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales_files\article;ch=soho;sec=privacy_watch;pc=1227;c=1529;c=1214;pos=leader;tile=1;sz=728x90;dcopt=ist;ord=1185725;.htm moved successfully.
    E:\MY DOCUMENTS\Software\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales_files\superstitial;pos=unicast;sz=1x1;tile=9;ord=314660091.htm moved successfully.
    E:\MY DOCUMENTS\Software\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales_files\PCWorld_com - Privacy Watch Make Sure Your Old Computer Tells No Tales.htm moved successfully.
    E:\MY DOCUMENTS\My Pictures\100_0298_jpg.htm moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Dennis
    ->Temp folder emptied: 446059 bytes
    ->Temporary Internet Files folder emptied: 57387649 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 2364 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 108 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 16781813 bytes

    Total Files Cleaned = 71.00 mb


    OTM by OldTimer - Version 3.1.12.2 log created on 06112010_174355

    Files moved on Reboot...
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\WAG6M0AS\BuddyList[2].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\WAG6M0AS\InboxLight[1].aspx moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\WAG6M0AS\sh18[1].html moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\WAG6M0AS\ToastFull[2].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\WAG6M0AS\ToastMini[2].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\JNQOE6YU\ads[10].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\JNQOE6YU\im[1].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\J28TFAV5\default[2].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\F28LQPUA\5743350023[1].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\F28LQPUA\adsCAGM51FK.htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\F28LQPUA\ads[8].htm moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\Content.IE5\F28LQPUA\topic148220[2].html moved successfully.
    C:\Documents and Settings\Dennis\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    Registry entries deleted on Reboot...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\LxrSII1d.sys
    c:\documents and settings\All Users\SPL84.tmp
    c:\windows\SaveStartDate.exe
    
    Folder::
    c:\program files\Ask.com
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaveDate]
    
    Driver::
    LxrSII1d
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ==============================
    Dennis, check the Programs folders on the C drive. It looks like you may have AVG9 installed twice. There are 3 sets of duplicate processes.

    Also, check for update for the Lexmark. There is a problem with the drivers.

    Please run Malwarebytes again. I want to make sure all bad entries are gone:

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    Download this please, then reboot:
    MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    How is the system now? Are you still getting the redirects? Any other malware related problems
     
  15. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    I'm still chasing a driver update for the Lexmark but everything else seems to be working good.

    Thanks for your help.
     

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Logs look good Dennis. Just run a quick HijackThis scan so I can make sure there aren't any bad entries left:

    choose v 2.0.4:

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    I'll check the log and then have you remove the cleaning tools.
     
  17. DENNISEPT

    DENNISEPT TS Rookie Topic Starter

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:13:46 PM, on 14/06/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Nexus Radio\Nexus Radio.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\lexmark\drivers\3500-4500\Setup.exe
    c:\lexmark\drivers\3500-4500\install\x86\instgui.exe
    C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\Documents and Settings\Dennis\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
    O4 - HKCU\..\Run: [Nexus Radio] C:\Program Files\Nexus Radio\Nexus Radio.exe -0
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://sympatico.msn.ca
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://secure.learning.gov.ab.ca/edarts.internet/includes/smsx.cab
    O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://design-concept.ca/Core/Player/2020PlayerAX_Win32.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://64.114.25.196/Vernon/cabfile/mgaxctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188480287067
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188480276792
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
    O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 8690 bytes
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks good Dennis! I think we got rid of all the bad stuff. Let's replace the Hosts files:

    MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if I can be of further help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...