Do I need to do malware removal?

mom26gr8kids · May 19, 2012

My CFScript log looks exactly the same as what you had here, and I dragged it into Combofix just as instructed. The Combofix on my desktop says ComboFix shortcut, but when I dragged the script there to launched Combofix. Would you like me to try it again?

Avast did Quarantine the viruses it found. Here is the eset log:

C:\_OTM\MovedFiles\05162012_190203\C_Users\Dad\Downloads\gimp_app_1201.exe Win32/InstallIQ application

Bobbye · May 20, 2012

You need to get this configured correctly:

Instructions: .......................................................................................What you have:
Download Combofix from HERE or HERE and save to the desktop | Running from: c:\users\Dad\Downloads\ComboFix.exe

Instructions:.................................................................................... What you have:
Save this as CFScript.txt, in the same location as ComboFix.exe | Command switches used :: c:\users\Dad\Desktop\CFScript.lnk

Examples of what you should see:

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dad\Desktop\CFscript.txt

The code won't work when it's in one place and the program is in another. The Command switch has a .txt file extension, not .ink

(When finished, it will produce a log for you at C:\ComboFix.txt)

Uninstall Combofix. Reinstall correctly. Then run the fix

mom26gr8kids · May 22, 2012

I already uninstalled and then reinstalled ComboFix. There is no option for me to save it to the desktop. The only two options that come up are Save File or Cancel. Once it downloads and I click on it that starts running the program. If there is a way to save it somewhere other than where my computer saves it I am not given that option (perhaps that is an issue with my downloads manager). And I did save the CFSCript as a .txt file, so I am not sure why it has an .ink file extension.

Let me know how I can save ComboFix to the desktop so that I can run the fix that you requested.

Bobbye · May 23, 2012

You can choose a location on your computer where downloads should be saved by default. This means that whenever you using Save As in the File> Save As or when you choose to Save a download, it will automatically default to the location you have set.
You may find that setting the Default Download Location to your Desktop the most
convenient.
If you want to move the file later, you can. If you want to delete the file, it will be most handy on the Desktop. For the cleaning and scanning programs we use, almost all are directed to be saved to the desktop.

Set Default Download Location in Browsers:

Chrome:
Open Chrome> Customize and control> Options> Under the Hood> Downloads> Change> Select Desktop> OK
(Don't check 'ask where to save each time....')

Firefox:
Open Firefox> Tools> Options> Main/General> Downloads Section> Save Files to> Browse> Navigate to and select Desktop> OK

IE9
Open IE> Gear icon> View Downloads> Options> Browse to and select Desktop> OK

There may be a slight difference in the path dependent on the browser version. There may also be a box to check to "Ask me the location each time". I do not asvise checking that box.

mom26gr8kids · May 26, 2012

Bobbye

I changed the Downloads so they will download to the Desktop and I ran Combofix, but I still could not get the CFScript to run. I keep getting this message
c:\Users\Dad\Desktop\Desktop\ComboFix.exe The directory name is invalid.

So, I thought it created a folder on the desktop to save them into, so I went back into Firefox to change it so that it saved directly to the desktop, but then when I tried to uninstall it so I could re-download and install it I got the same message about the directory name being invalid. So, now I can't uninstall it, and I can't get the CFScript to run.

When I go into to the Firefox settings to have it download to the desktop, no matter what I click on it comes up with the
c:\Users\Dad\Desktop\Desktop as the path for the folder, even when I just click on Desktop and then click select folder.

Guess I am going to need more help to get this figured out so I can run the CF Script

Bobbye · May 27, 2012

Please uninstall and delete everything you have for Combofix.

1. Uninstall directions:

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

2. AFTER the uninstall, do a search on the system for any Combofix related files and do a right click> Delete on each.
3. Right click on Start> Explore> Computer> Local Drive(C)> Programs> if there is any folder entry for Combofix, do a right click> Delete.
4. Reboot the computer.

Now start over with a new download of Combofix, saved to the desktop. Do not run the fix- paste the log in your next reply.

mom26gr8kids · May 31, 2012

All right, here is the new ComboFix Log

ComboFix 12-05-31.03 - Dad 01/06/2012 0:33.9.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1259 [GMT -6:00]
Running from: c:\users\Dad\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Dad\AppData\Roaming\.#
c:\users\Dad\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-06-01 06:45 . 2012-06-01 06:45 -------- d-----w- c:\users\Dad\AppData\Local\temp
2012-05-29 20:09 . 2012-05-29 20:58 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-27 03:34 . 2012-05-27 03:34 -------- d-----w- c:\users\Dad\AppData\Roaming\Oberon Media
2012-05-27 03:34 . 2012-05-27 03:59 -------- d-----w- c:\program files\Oberon Media SIDR
2012-05-27 03:17 . 2012-05-27 03:34 -------- d-----w- c:\programdata\Oberon Media
2012-05-27 00:55 . 2012-05-27 00:55 -------- d-----w- C:\TEMP
2012-05-17 01:02 . 2012-05-17 01:02 -------- d-----w- C:\_OTM
2012-05-05 17:08 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-05 17:08 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 16:48 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-05-05 16:47 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-05 16:47 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-05-05 16:47 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-05 16:47 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-05 16:47 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-05 16:47 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-05-05 16:47 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-05 16:47 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-05-05 16:47 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-29 20:58 . 2011-06-03 15:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 21:56 . 2011-12-17 07:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-18 03:59 . 2012-03-18 03:10 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-03-18 03:59 . 2012-03-18 03:59 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-03-18 03:59 . 2012-03-18 03:10 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-03-18 03:10 . 2012-03-18 03:10 138056 ----a-w- c:\users\Dad\AppData\Roaming\PnkBstrK.sys
2012-03-18 03:10 . 2012-03-18 03:10 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-03-11 21:13 . 2011-12-20 01:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2012-03-11 21:13 . 2011-12-20 01:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-03-11 21:13 . 2011-12-20 01:59 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-03-11 21:13 . 2011-12-20 01:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-03-11 21:13 . 2011-12-20 01:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2012-03-11 21:13 . 2011-12-20 01:58 301224 ----a-w- c:\windows\system32\guard32.dll
2012-03-07 00:15 . 2011-07-16 05:08 41184 ----a-w- c:\windows\avastSS.scr
2012-03-07 00:15 . 2011-07-16 05:08 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-07 00:03 . 2011-07-16 05:10 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-07 00:03 . 2011-07-16 05:10 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-07 00:02 . 2011-07-16 05:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-07 00:01 . 2011-07-16 05:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-07 00:01 . 2011-07-16 05:10 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-07 00:01 . 2011-07-16 05:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-04-26 17:05 . 2011-03-24 02:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-31 3905920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-10-01 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-10-01 323584]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2010-12-28 2392064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-06 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-29 257696]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-06 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-29 20:58]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
.
2012-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?brand=ACAW&bmod=ACUS
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{209691AC-D76C-4989-96DB-91FF190476EE}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\svjtkm5q.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dd2ebf0&I=23&tp=ab&nt=1&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-01 00:45
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(7276)
c:\windows\system32\guard32.dll
.
Completion time: 2012-06-01 00:49:18
ComboFix-quarantined-files.txt 2012-06-01 06:49
ComboFix2.txt 2012-05-27 00:20
.
Pre-Run: 23,176,925,184 bytes free
Post-Run: 22,962,647,040 bytes free
.
- - End Of File - - B7F97476547154F2B28F555897D47CBD

Bobbye · Jun 1, 2012

Okay, looking good! One question- are you getting any blue screen?

Are there any remaining problems?

Bobbye · Jun 4, 2012

Please let me know if you need any more help.

mom26gr8kids · Jun 5, 2012

Sorry for the delay, we were out of town for a few days and I forgot to let you know. I am not getting any blue screen and there do not appear to be any remaining issues. Let me know where we head next.

Bobbye · Jun 8, 2012

Pkay, system looks good. You should consider leaving the default download site as the desktop.

I also recommend that you set up an individual account for each user instead of having all work under the "Dad" account.

Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

Select Yes when the "Begin cleanup Process?" prompt appears.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.

Choose Disc Cleanup

Click "OK" to select the partition or drive you want.

Click the "More Options" Tab.

Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

TechSpot

Welcome to TechSpot

Do I need to do malware removal?

mom26gr8kids TechSpot Enthusiast Posts: 215

Bobbye Helper on the Fringe Posts: 16,406 +16

mom26gr8kids TechSpot Enthusiast Posts: 215

Bobbye Helper on the Fringe Posts: 16,406 +16

mom26gr8kids TechSpot Enthusiast Posts: 215

Bobbye Helper on the Fringe Posts: 16,406 +16

mom26gr8kids TechSpot Enthusiast Posts: 215

Bobbye Helper on the Fringe Posts: 16,406 +16

Bobbye Helper on the Fringe Posts: 16,406 +16

mom26gr8kids TechSpot Enthusiast Posts: 215

Bobbye Helper on the Fringe Posts: 16,406 +16

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.