TechSpot

Random IP attacks, random pop-ups, etc

By spykerspyder
Jul 9, 2010
  1. Good evening (or morning since it's 3 AM in my time zone),

    I'm having a bit of trouble removing what I am beginning to believe is a rootkit of some sort. It's my hope that you ladies and gentlemen can help me.

    First off, I want to thank you all for having such a forum available for people like me to get assistance.

    About two weeks ago, my computer got infected with that rogue software AV Security Suite. Malwarebytes got it off, but since then, I've been getting attacked by the IPs of 91.212.226.59 and 91.212.226.179. It also causes strange tabs to open in my browser, that redirect me to odd URLs in the address bar (most of the URLs apparently are nonexistent, since it redirects me back to Google).

    I would just like for this IP to stop attacking me and stop opening random weird URLs in my browser. I understand that my computer's security is more than likely greatly compromised at this point; and thus am planning to purchase an upgrade to Windows 7 (from Windows Vista). In the meantime, I'd just like to get rid of this . . .annoyance.

    I tried following all of the steps in the 8 Steps thread. Unfortunately, when I tried to run DDS, my computer promptly gave me the dreaded blue screen of death. I'm providing the logs I do have.

    Please let me know if I should try to run DDS again.

    Thank you.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To start with, you have a DNS Changer malware infection. So let's handle that first:

    It would be helpful to you if you print out these steps:
    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    =======================================
    It also appears that you have a Rootkit, so proceed with the following:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      iastor.*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ===================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.

    We'll see what the status is after these scans. I may have you try DDS again if needed.
     
  3. spykerspyder

    spykerspyder TS Rookie Topic Starter

    Upon trying to initiate MBAM again, I was greeted with another blue screen. Please instruct what you would like for me to do from here.

    EDIT: Please disregard the above. I got it to work. Proceeding with your directions. Thanks.
     
  4. spykerspyder

    spykerspyder TS Rookie Topic Starter

    I tried to run ComboFix and got another blue screen. And now, just logging into Windows gives me a blue screen. I'm typing this in safe mode.

    I'm starting to think that the only way for me to salvage my computer is to reformat and reinstall its OS, but I don't get paid for another two weeks so I wouldn't be able to afford the upgrade disk until then.

    I'm attaching the second MBAM log and the SystemLook log.

    Please instruct what you would like me to do.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, you're not at the point of needing to reformat/reinstall. Sometimes it just takes a few steps.

    Reboot the computer
    Empty the Recycle Bin

    1. Did you do the DNS flush?
    2. Did you do the router reset?
    3. You have Combofix downloaded and saved to your desktop- is that right? When you try to run the scan, at what point do you get the BSOD? Is there a message in white letters on the BSOD?
    4. When you attempted to rescan with Mbam you got a BSOD but got around it> what did you do that allowed you to rescan?

    See if this will run- it's an online AV scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please answer the 4 questions as specifically as you can and if Eset runs okay, leave the log in your next reply.
     
  6. spykerspyder

    spykerspyder TS Rookie Topic Starter

    1.) I did do the DNS flush.
    2.) I did the router reset as well.
    3.) I get the BSOD as soon as I click on the icon. The most recent one said IRQL_NOT_LESS_OR_EQUAL before it rebooted.
    4.) I didn't do anything to get around the BSOD for MBAM. I just clicked on it and crossed my fingers, haha. Maybe if I cross my fingers for ComboFix . . . lol?

    Now when I click on the ComboFix icon, it shows what appears to be a small box with an extraction % bar . . . that flashes for maybe a second or two, and disappears. Then nothing happens.

    I tried Eset in all of my browsers (Maxthon, Firefox, Google Chrome, and IE) and the only one that would even open the "ESET Online Scanner" green button was IE. I checked "Yes" and clicked "Start", and it brought me to an empty blue browser window with the word "Done" in the bottom left hand corner of the window.

    Here's a screenshot of what it gives me.
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Very strange! Let's uninstall, then reinstall Combofix:


    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    =======================================
    Now download again but with this change: When you are at this point of saving to the desktop:
    [​IMG]

    Go to the File Name box and change the name to random.exe

    Courtesy bleepingcomputer.
    Then see if you can run the scan.
     
  8. spykerspyder

    spykerspyder TS Rookie Topic Starter

    Renaming to random.exe helped. Attached is the log ComboFix produced.

    So far I haven't gotten an attack by any random IP and no random URL tabs either . . . but it's only been a few moments since the scan completed.
     

    Attached Files:

    • log.txt
      File size:
      32.9 KB
      Views:
      3
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\hphins33.dat
    c:\users\Miss Skyline\tdsskiller.zip
    c:\users\Miss Skyline\fsbl.exe
    c:\users\Miss Skyline\AppData\Local\ogahatew.dll
    c:\users\Miss Skyline\AppData\Local\amidayiyuk.dll
    c:\users\Miss Skyline\AppData\Local\asegabobi.dll
    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\koemy.exe
    c:\windows\System32\drivers\uehhnj.sys
    c:\program files\SUPERAntiSpyware\SABKUTIL.sys
    Folder::
    c:\temp\simfilemaid
    C:\temp
    c:\users\Miss Skyline\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    c:\users\Miss Skyline\hlcljdwn.exe
    c:\program files\Enigma Software Group
    c:\users\Miss Skyline\AppData\Local\oiexaenxs
    c:\users\Miss Skyline\AppData\Roaming\Kewapi
    
    DirLook::
    C:\sh4ldr
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    Driver::
    istotfx
    SABKUTIL
    
    FCopy::
    C:\Program Files\Intel\Intel Matrix Storage Manager\driver\iastor.sys | C:\Windows\System32\drivers\iaStor.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
  10. spykerspyder

    spykerspyder TS Rookie Topic Starter

    Good evening,

    Here is the requested log, as instructed.
     

    Attached Files:

    • log.txt
      File size:
      34.1 KB
      Views:
      4
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should be running much better now- are you? But I m running into a problem because I can't check processes out due to the absent DDS log:

    1. I see Entries for Norton Internet Security. This has both an AV program and a firewall.
    2. I also see entry for Comodo firewall.
    3. Your security was not disabled for Combofix as it should have been, so I see Comodo, Superantispyware and Windows Defender running, no indication of 'other' AV: NIS should show as either enabled or disabled for AV and FW. Neither shows.
    4. IF you're still using the Lexmark printer, installed in 2007, please check to see if there is a driver update.

    Handle the security programs please. Either make sure NIS is running correctly and includes the firewall, or leave Comodo as the firewall, remove Norton and replace with new AV.
    ======================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE 
    c:\program files\COMODO\Firewall\cmdagent.exe
    c:\users\Miss Skyline\hlcljdwn.exe
    Folder::
    C:\sh4ldr
    c:\programdata\McAfee
    Registry::
    
    Driver::
    SpyHunter 4 Service
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please try the Eset scan again. If the problem persist, I'll give you a different online scan to run.

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please paste all logs in next reply.
     
  12. spykerspyder

    spykerspyder TS Rookie Topic Starter

    Very strange! I went to Programs and Features through the Control Panel and I don't see Comodo or Superantispyware. In fact, I don't even recall ever downloading either program . . .or maybe I did when I had decided not to renew Norton.

    My Norton says its AV and FW are enabled. Strange!

    Is there any other way to find Comodo and Superantispyware to get rid of them? I figured I should do that first before doing any of the other instructions.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I removed one entry for Comodo and one for McAfee in the script I left for you. I can check again for SAS. Did you decide after all to renew and run the Norton Internet Security? I'm a bit confused:

     
  14. spykerspyder

    spykerspyder TS Rookie Topic Starter

    I was able to get Superantispyware off. However, I can't get Comodo off--it seems to be notorious for being hard to remove. I renewed Norton about a year ago, because Comodo had too many security notifications and it was annoying having to click through them. I uninstalled Comodo then (or so I thought!).
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I need the Combofix log generated after the script. I'll look for any remaining SAS or Comodo entries and move them.
     
  16. spykerspyder

    spykerspyder TS Rookie Topic Starter

    I've done everything except the ESET scan. It seems to be taking a while to download the virus database, so I figured I could post the other logs you need while I was waiting for it to download.

    HiJackThis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:04:29 PM, on 7/13/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Windows\system32\WTablet\Pen_TabletUser.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\1.0"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Intuit SyncManager] c:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Miss Skyline\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
    O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - c:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe (file missing)
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: COMODO Programs Manager Service (CPMService) - Unknown owner - C:\Program Files\COMODO\COMODO Programs Manager\CPMService.exe (file missing)
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxce_device - - C:\Windows\system32\lxcecoms.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: QBCFMonitorService - Intuit - c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
    O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 12143 bytes
     
  17. spykerspyder

    spykerspyder TS Rookie Topic Starter

    The text from the ComboFix log was too long to post in one post. I didn't want to break it up so I'm attaching it instead.
     

    Attached Files:

    • log.txt
      File size:
      28.3 KB
      Views:
      1
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop

    Close all Windows except HijackThis and click on "Fix Checked."
    ==============================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\ComodoUsageReportDriver.sys
    c:\program files\COMODO\COMODO Programs Manager\CPMService.exe
    c:\windows\system32\DRIVERS\cmdhlp.sys
    DirLook::
    C:\fileimage.dat
    
    Folder::
    c:\program files\COMODO
    c:\programdata\comodo
    
    Registry::
    
    Driver::
    CPMService
    ComodoUsageReportDriver
    cmdHlp
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    This should handle Comodo. Have you run Eset yet? And are there any more malware related problems?
     
  19. spykerspyder

    spykerspyder TS Rookie Topic Starter

    ESET found a crapton of trojans. I was surprised--I guess what they say about Norton is true. Won't be paying for that anymore!
     

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some things you need to know about malware. the first line if defense is the user. When files sharing s done, expect malware. LimeWire is a great source of malware.

    Somewhere along the way, either you or a friend connected a flash drive to your computer and transferred infected Weather Bug.You will need to disinfect the4 flash drive also.

    The files showing spool\prtprocs\w32x86 are from the Trojan.TDSS. We are still removing malware that was originally on the system. I requested the Eset log a week ago but you thought it took too long.

    The 3 Qoobox entries are from Combofix- Qoobox is where Combofix uts the quarantined files. they are no longer active in the system.

    Another source of infection is the sites you download from-even other than the P2P sites. Regarding the AOLIMS infected file, read THIS.

    Regarding the SwSetup folder see THIS. As for Norton, well, I think you can find better, but you will have to share the reasons for the malware.
    =====================================
    Go ahead and run this- I'll check the Combofix log.
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\SwSetup\AOLIMS\setup.exe	
      C:\Users\Miss Skyline\Documents\LimeWire\Incomplete\T-5559077-15 brennende liebe.au	
      C:\Users\Miss Skyline\Documents\LimeWire\Incomplete\T-5850717-isley brothers busted.au	
      C:\Users\Miss Skyline\Flash Drive Stuff\Flash Drive Files\aim553599.exe	
      C:\Users\Miss Skyline\Music\Pop\Rihanna\Rihanna - Disturbia (Remixes) (Promo CDM) (2008)\08-rihanna-disturbia__craig_cs_disturbstramental_mix_.mp3	
      C:\Windows\System32\spool\prtprocs\w32x86\3o7oCEIQ.dll	
      C:\Windows\System32\spool\prtprocs\w32x86\79w1uOC.dll	
      C:\Windows\System32\spool\prtprocs\w32x86\A5kU5.dll	
      C:\Windows\System32\spool\prtprocs\w32x86\q31793i7q.dll	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  21. spykerspyder

    spykerspyder TS Rookie Topic Starter

    As far as explaining the malware, I did participate in file sharing once upon a time, and that’s why Limewire is on my computer—but I don’t think I’ve used it since late 2008 or early 2009. As a matter of fact, I’m not sure why it’s still on my computer. I should uninstall it. I find it hilarious that my computer gets infected with stuff when I haven’t downloaded anything. (I haven’t had consistent access to the Internet, so I haven’t been able to download stuff, even if I wanted to.)

    As far as AIM, I haven’t used that in ages, either. Occasionally I pop on, but not enough to warrant keeping it, either.

    WeatherBug . . . I did have that as an app installed on my Android phone. When I plugged it in via USB . . .maybe that’s how my computer got infected with the WeatherBug thing? I don’t plug my phone into my computer anymore since I’ve found its charger. Anyway, I’ve uninstalled the app from my phone. I think I’d have to reformat the phone itself to get rid of the WeatherBug, and I won’t be plugging the phone into my computer anymore . . . my contract with it expires in December and I won’t be using this handset anymore after that anyway.

    In any case, I'll be reformatting all of my flash drives.

    Here's the requested log.
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You don't have to download to get infected:

    Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life. :
     
  23. spykerspyder

    spykerspyder TS Rookie Topic Starter

    Heh, that's so true . . . I used P2P to download mp3s when I couldn't afford CDs. I've gotten too picky, though . . . I find that CD quality > mp3 quality, hands down.

    Is there anything else you'd like me to do?

    Thank you for all of your help and patience while helping me.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please uninstall programs you no longer use. That's where you start. Do any of the original malware problems remain?

    Please do another Eset scan and leave the new log. I want to make sure there is nothing new there.

    Then do the following:
    Choose v2.0.4:
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Did you want to try andto disinfect the flash drives?
     
  25. spykerspyder

    spykerspyder TS Rookie Topic Starter

    Here's the requested logs.

    I reformatted one of the flash drives. The other one I can just discontinue using. I'm going to make sure I don't plug my phone into my computer anymore.

    Unfortunately, I'm not sure if we'll be able to do anything else for my computer for the time being. I'm losing my source of Internet access for a while. I'm going to try to see if I can't locate another source with Wi-Fi or something similar. I'm sure my college campus must have wireless somewhere, and I should be able to connect to it since I'll be a student in the fall.

    Thanks so much for your help. I don't know how the threads work here--maybe someone could close it, and I could PM someone to have it re-opened when I have Internet access again?

    I started getting the occasional redirect. The address bar says http://results5.google.com before taking me somewhere other than where I wanted to go.

    Thank you again so much. You have been helpful, courteous, and patient. I appreciate it very much.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...