Antispyware, combofix, and HJT logs for review

Status
Not open for further replies.

wvlax21

Posts: 11   +0
If someone could review these, that would be great. I have been receiving messages saying i had the lo1 vundo infected in my computer. I completed all the preliminary steps recommended to clean my computer. Any more help is greatly appreciated.
 
Hi,

I apologize for the wait.

Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

Should you decide to clean your system, then please do the following.

I noticed that your AVG log displays 'No Action Taken' for all the files detected.
I require you to run AVG again and quarantine the files. Pictorial instructions HERE.

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE

  1. Please run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {BF285875-5D0E-481E-B703-99ABBF7D6873} - C:\WINDOWS\system32\gebcb.dll (file missing)
    O4 - HKLM\..\RunServices: [cdpnpvvw] C:\WINDOWS\system32\cdpnpvvw.exe
    O4 - HKLM\..\RunServices: [olxhs] C:\WINDOWS\system32\olxhs.exe
    O4 - HKLM\..\RunServices: [ouhuznvdz] C:\WINDOWS\system32\ouhuznvdz.exe

    O4 - HKLM\..\RunServices: [tmcxqizpv] C:\WINDOWS\system32\tmcxqizpv.exe
    O4 - HKLM\..\RunServices: [cfsjnj] C:\WINDOWS\system32\cfsjnj.exe
    O4 - HKLM\..\RunServices: [rpjiqgl] C:\WINDOWS\system32\rpjiqgl.exe
    O4 - HKLM\..\RunServices: [ryff] C:\WINDOWS\system32\ryff.exe

    O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
    O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

    Close HJT.

  2. Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.

    CFScript.gif


    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

  3. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of wvlax21 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

Attachments

  • CFScript.txt
    809 bytes · Views: 11
sorry about screwing up the AGV log. I'll do the other recommended steps now. Thanks for your help.
 
alright i have attached the following:
1) New AVG Anti-Spyware log
2) New Combofix logs from both safe mode and normal mode
3) New HJT log from normal mode
 
Hello and welcome to TechSpot.

Step 1: Go into Add or Remove Programs in your Control Panel and uninstall anything having to do with Compaq Advisor or PartyPoker.

Step 2: Follow momok's CFScript instructions above, only use the script attached to my post here. Attach the resultant log in your next reply.

Step 3: Please navigate to www.virustotal.com.

Click the Choose... button.

Navigate to the following file:

C:\Cpqs\Scom\srmclean.exe

Click Open. Then click Send File.

Wait until it's done scanning, then copy and paste the results into a Notepad file and save it on your computer.

Attach the VirusTotal log file in your next reply, along with the log resulting from the CFScript, and a fresh HijackThis log.

Regards :)

This thread is for the use of wvlax21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
i have attached my combofix log after dragging and dropping the CFScript as shown in Momok's instructions...i will now follow the rest of your steps...

I have completed the rest of your steps and attached the Virustotal log along with a fresh HJT log
 
oh and i went through my add/remove programs list and didn't find anything that had to do with party poker
 
unnecessary entries and can be fixed O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

if you don't know these sites fix them O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - ]http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - [ttp://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab[/url]


this should be fixed if it's nothing to do with your internet provder or pc maker
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir 2.dll?s=consumerfav&c=2c02&lc=0409

if you are happy with your pc's performance, empty quarantine folders of recent use, do a defrag etc switch off system restore reboot, switch on SR and create new restore point
 
Thanks for your post Tom. I've been busy this weekend.

wvlax21, did you uninstall Compaq Advisor? You need to do that as per my above post.

Then go to Start > Run, and type in "cmd". Press Enter.

When the black window appears, type in (or copy and paste) the following:

net stop msCMTSrvc

Press Enter. Once it's done with that, type in the following:

sc config "msCMTSrvc" start= disabled

Press Enter. Once it's finished, close the window.

Then post a fresh HJT log.

Regards :)

This thread is for the use of wvlax21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
when i typed in the initial "net stop msCMTSrvc" i would recieve a message saying "the content monitoring tool is not started"

here is a fresh HJT log...
 
Everything looks good now.

Delete all files in AVG Anti-Spyware Quarantine folder (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine).

Turn off system restore. See how HERE.
This will remove all your system restore points, including any malware hiding in them.

After that turn system restore back on.
This will create a new, clean restore point for your system.

Often, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article. This can help to prevent future infections.

Should you have further virus/spyware problems, please post in this thread.

Regards :)

This thread is for the use of wvlax21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
Status
Not open for further replies.
Back