TechSpot

Completed 8 step removal - log files attached

By LO1109
Dec 8, 2008
Topic Status:
Not open for further replies.
  1. Hi,

    Thank you in advance for checking out the attached log files. Hopefully they are clean and good to go.

    Our home computer began having problems with Vundo and Fraudloa.cx about 2 weeks ago. The computer is mainly used by teens for homework, social networking, itunes, etc.

    I completed the 8 steps on the website.

    Thanks again for the help.

    Attached Files:

  2. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Observation: More progress is needed.
    • Your logs show found but unanswered items - React to unanswered items appearing in scan logs
    • NO Action’ - Remove Selected when offered by MBAM
    • 'Delete on Reboot’ - Restart the computer after concluding the scan
    [*]e.g. "C:\WINDOWS\system32\mfmpabooamlepal.dll (Adware.BHO) -> Delete on reboot"

    Continue with guide.
    Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scan program​
    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
      • Typically extra repeat scans are not needed
      .
    • Posts logs. Report progress & what changes are observed. Include logs that found infections.
  3. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    No it doesn't. It says entries removed and quarantined :confused:

    But I'm more concerned about Spyware Doctor and Registry Mechanic in the Windows startup list

    Actually the member is best to remove most of the many o4 entries, before continuing. There are just too many, to then start scanning with other tools
    Wouldn't you think this would be best advised first?
  4. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Kimsland, I am pretty much 1-dimensional these days. I 'm just geared toward moving members through the scans. I focus on cleaning the infestations.

    I am all for methodology. We all benefit from sharing techniques and discoveries. If there is some way of holding up 'examples' or 'case studies' from what happens here, it would improve functioning for everyone.

    While one goal could be a well-rounded specialist, another means to the same goal is to partition the effort among the team.

    Since your perspective is more global than mine, I lack an appreciation for considering the burden of startups in general, and specific applications with borderlne practices (foistware).

    As the saw goes - oz. of prevention versus the proverbial lb. of cure. Another saw - let's close the barn door. Please help with the startups.


    My findings: 5 hits in MBAM log
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmalodamapesep (Trojan.Agent) -> Delete on reboot.
    • C:\WINDOWS\ecowubucu.dll (Trojan.Agent) -> Delete on reboot.
    • C:\WINDOWS\system32\yapfieztalboz.dll (Trojan.Agent) -> Delete on reboot.
    • C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
    • C:\WINDOWS\system32\mfmpabooamlepal.dll (Adware.BHO) -> Delete on reboot.


    My view: There is a fine line between ‘nanny’ and ‘ninny’
    • best to remove most of the many o4 entries, before continuing. There are just too many
    • computer is mainly used by teens
    • personal habits of members cannot be broken easily.


    Tweaking for the Updated 8-Steps
    • Unanswered items – ‘delete on reboot’, ‘Removed Selected’
    • Before posting Scans – take them to ‘clean’ or ‘something it cannot clean’
  5. LO1109

    LO1109 Newcomer, in training Topic Starter

    Hi - Thank you both for your replies. The computer seems to be working OK right now although I know that may be misleading. If there is something I should do from this point, please share that information with me. I am happy to delete the 04 items although I'm not sure how to go about doing so. I can also rerun the scans and repost the logs if that is helpful.

    I added the registry mechanic and spydoctor in response to the problems we've been having the past couple of weeks. I had been running Trend-micro the whole time however. If there are better packages out there I'd be happy to hear about them and uninstall what I am currently using. At this point, I'll uninstall the Registry Mechanic and Spy doctor since they seem redundant.

    Thanks again for your attention. I appreciate your guidance!
  6. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Draft Draft Draft - Started - Dec. 10, 2008 - Draft Draft Draft

    How to Manage Startup Applications Using HiJackThis

    HJT Capabilities
    • HiJackThis is a useful tool for managing startup applications.
    • HJT log is a convenient listing of startup (O4) applications.
    • HJT 'tick & fix' has the ability to eliminate programs from running at startup
    • Changes can be reversed (a.k.a. - undo)
    • O4 items appear in msconfig > startup

    HJT Usage
    • Tick & Fix - Same effect as regedit
      • Main Menu > System Scan Only > tick items to be fixed > Fix Checked
    • Undo From Advance Menu
      • > other stuff > Config > Backups > tick items

    Global Startup -
    • Shortcuts to applications
      • appearing in startup folders: Right click 'Start' > 'explore'
    • HJT has the same effect as manual deletes
      • Individual user
      • All users
      • Default user
    Tick & Fix
    Code:
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

    Control From Application – recommend decline startup
    Code:
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
    O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe (User 'Kids')
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Kids')
    O4 - S-1-5-21-2986887021-3910996275-176885219-1011 Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matt\Local Settings\Temp\{BA212BCB-99AB-47AD-B0F9-05A0F51DC7DE}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe (User 'Matt')
    O4 - S-1-5-21-2986887021-3910996275-176885219-1011 User Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matt\Local Settings\Temp\{BA212BCB-99AB-47AD-B0F9-05A0F51DC7DE}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe (User 'Matt')

    Control From HJT – any item above lacking tick box to remove from startup
    Code:
    HJT >  Tick & Fix
    * Equivalent to using msconfig > startup tab 
    * Other usage removes ‘orphaned’ items appearing in msconfig / startup
    

    Dirty Startup - - Control from the application is the only way to prevent re-occurrence here.
    Code:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Kids')

    Untouchable - - Keyboard shortcuts are included - actually it's user's choice
    Code:
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" –hide
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

    special case – system generated. OK to eliminate? Do not know.
    Code:
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kids')
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Conor')
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Matt')
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
    Let MBAB & SAS Decide this one.
    Code:
    O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1010\..\Run: [Cmalodamapesep] rundll32.exe "C:\WINDOWS\ecowubucu.dll",e (User 'Conor')

    Technical Details:
    http://www.bleepingcomputer.com/startups/hkcmd.exe-1939.html
    http://www.bleepingcomputer.com/startups/igfxpers.exe-20641.html
    http://www.bleepingcomputer.com/startups/KBD.EXE-2398.html
    http://www.bleepingcomputer.com/startups/cloaker.exe-14039.html
    http://www.bleepingcomputer.com/startups/MSASCui.exe-14484.html
    http://www.bleepingcomputer.com/startups/Recguard-4419.html
    http://www.bleepingcomputer.com/startups/oe_oem-15377.html
    http://www.bleepingcomputer.com/startups/pccguide.exe-3989.html


    http://www.bleepingcomputer.com/startups/ehTray-1525.html
    http://www.bleepingcomputer.com/startups/IAAnotif-2074.html
    http://www.bleepingcomputer.com/startups/iaanotif.exe-2074.html
    http://www.bleepingcomputer.com/startups/DiscUpdateManager-15124.html
    http://www.bleepingcomputer.com/startups/DMAScheduler-16876.html
    http://www.bleepingcomputer.com/startups/HPBootOp-15123.html
    http://www.bleepingcomputer.com/startups/HPWuSchd2.exe-2003.html
    http://www.bleepingcomputer.com/startups/rundll32.exe_NvCpl.dll_NvStartup-3803.html
    http://www.bleepingcomputer.com/startups/NvMediaCenter-3828.html
    http://www.bleepingcomputer.com/startups/nwiz-3838.html
    http://www.bleepingcomputer.com/startups/SsAAD.exe-8616.html
    http://www.bleepingcomputer.com/startups/Reminder-4495.html
    http://www.bleepingcomputer.com/startups/PicasaMediaDetector.exe-4045.html
    http://www.runscanner.net/filelibrary/ATR1.EXE.html
  7. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Best reply post I've ever seen :grinthumb
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.