Vundo or other stuff wreaking havoc

By leftwngr
Oct 24, 2009
Topic Status:
Not open for further replies.
  1. Conducted 8 steps as directed.

    Main problem is that IE is not displaying, of all things, the microsoft family of sites properly. Hotmail comes up with a blank screen and a done message in the lower left. Works on Firefox.

    Please help.

    Logs attached

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Could be because you are so full of Adware that there isn't room for anything else! I'm going to have to check all the 016 entries for MyWebSearch.

    But in the meantime:

    I have noticed that you have multiple antivirus programs running. You have both Symantec and AVG.

    You should decide which you want to keep and remove the others for the following reasons:
    • *Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • *Multiple antivirus programs can also slow down the system.

    The Paid Program is Symantec/Norton But if is a Trial or has expired and you want to remove it:The free program is AVG:
    (You must download the latest version of AVG from the website, and then run it- select Uninstall).

    I'll be back after I've reviewed the logs- it's probably going to be sometime tomorrow.
  3. leftwngr

    leftwngr Newcomer, in training Topic Starter Posts: 16

    messy , I know

    Yeah, it's a mess. It's a laptop that my wife's friend has been using.

    I've run the 8 steps and cleared the majority out, and I've run the Norton removal, and that seems to have done the trick.

    I'll run MBAM again and cross my fingers for no new infections.

    Thank you. You guys rock.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Update Mbam before scanning again. And repeat the Superantispyware scan. You can attach those 2 logs in next reply.

    Rescan with HijackThis and paste that log in next reply. I'll help find and remove the adware and any other malware still lurking in the system.
  5. leftwngr

    leftwngr Newcomer, in training Topic Starter Posts: 16

    Thank you much

    Here are the requested logs.

    Thank you again.

    SAS found some tracking cookies... whatever this is, it's pretty deep.

    Thank you
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Follow these directons:

    I wanted to check all of the 016 entries..

    Please reopen HijackThis to 'do system scan only'. Check the following if present:
    The Optional Adware entry is coded in Green. Please see Adware Description below:

    Adware: Optional Removal is suggested because:
    • Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used.
    • Some types of adware are also spyware and can be classified as privacy-invasive software.

    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://vbv.shinhancard.com/popup/npkcx_lg.cab> (NProtect adware) See Optional Removal for Adware
    O18 - Filter hijack: text/html - {18b5644f-f03e-4a6b-940d-06ce6ed8fc85} - C:\WINDOWS\system32\xwreg32.dll
    O23 - Service: Apple ¸ð¹ÙÀÏ Àåºñ (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour ¼*ºñ½º (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Using Windows Explorer: Right click on Start> Explore> My Computer> Local (C) Drive> Windows System 32> right click> delete the following file if present:

    xwreg32.dll

    Open IE> Tools> Manage add-ons> look for the following Active X entry in both sections of the addons> click to highlight> Disable the object:

    NPKCX > Optional

    Then click on Start> Run> services.msc> Find each of the Services below> double click on each> change Startup Type to Disabled> Stop the Service:

    AppleMobileDeviceService
    Bonjour Service


    Close the Services. Reboot the computer.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please attach the report in the next reply. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    The rescan with HijackThis and PASTE new log into next reply.

    NOTE: Attach Combofix report.

    PASTE HijackThis log.
  7. leftwngr

    leftwngr Newcomer, in training Topic Starter Posts: 16

    sorry for the delay

    Combo Fix log attached.

    HJT log pasted below.

    Thank you!



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 오후 9:24:19, on 2009-11-06
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\npkcmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [SetDefPrt2] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {042D97DD-E197-411A-8298-6EE85F1C1421} (mkdsfwCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdsfw.cab
    O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyImageUpload_10217.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.metroseoul.co.kr/common/ScriptX.cab
    O16 - DPF: {1A07C296-6C4B-4776-BD41-491F7611B8DA} (ddoba Control) - http://www.ddoba.com/install/ddoba.cab
    O16 - DPF: {1F9079B1-CB38-4DC0-9DAD-080BD2255698} (kongdisk File Share Control 5) - http://www.kongdisk.com/activex/KongdiskControl.CAB
    O16 - DPF: {3B56E5F0-7B20-48BF-B439-A995BE5191EF} (SessionControl Control) - http://pib.wooribank.com/com/common/SessionControl.cab
    O16 - DPF: {3C36DCBE-5CDF-4C35-9D0B-4A1882B2EB0A} (AllatPayREAtl Class) - https://tx.allatpay.com/component/AllatPayRE.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {52DFD4CA-F497-427D-8616-604915CCEA51} (HaninDiskCtrl Control) - http://hanindisk.com/app/HaninDiskCtrl.cab
    O16 - DPF: {55CE0824-B8F3-4E6A-9797-17FDA555A8E5} (KvpTopd Control) - http://www.vpay.co.kr/kvpfiles/KvpTPd20.cab
    O16 - DPF: {5F784BB5-AE19-46D3-88F6-2E8391A5DF59} (WebTrans Control) - http://mail.totodisk.com/mail/WebTrans.cab
    O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - http://pib.wooribank.com/com/XecureCK/CKKeyPro.cab
    O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/XecureWeb/v7.2.0.2/xw_install.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://gogoyoo.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} (CyImage Class) - http://cyimg7.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
    O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
    O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (V3D Client Control) - https://v3d.kcp.co.kr/file/kcp_ansimclick.cab
    O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://www.bankpay.or.kr/BankPayEFT.cab
    O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,2
    O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) - https://vbv.shinhancard.com/infovine/VineTransfer.cab
    O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D4681BF4-A927-4774-A207-1CF61BC1992E} (TrustedSite Control) - http://www.bankpay.or.kr/TrustedSiteCtrl.cab
    O16 - DPF: {E0F0958B-C5EB-49E3-8567-E018D2407F35} (Kongdisk Control) - http://www.kongdisk.com/install/kongdisk.cab
    O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,22
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E34B9A43-BC77-4C42-845C-04E49BADD7AA} (Skopi_ReplyFancy Control) - http://cyimg7.cyworld.nate.com/photoPrint/pSkopi_ReplyFancy_new.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
    O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://kings.cachenet.com/kdfx218/kbstar/kdfense9.cab
  8. leftwngr

    leftwngr Newcomer, in training Topic Starter Posts: 16

    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
    O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: ipp - (no CLSID) - (no file)
    O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
    O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
    O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
    O18 - Protocol: msdaipp - (no CLSID) - (no file)
    O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod 서비스 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

    --
    End of file - 13767 bytes
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Before we go much further:

    These programs were running on these dates: Now there is NO antivirus program running
    c:\program files\ESET>> 2009-10-24 20:07
    c:\program files\AVG>> 2009-10-22 04:07

    Combofix also shows C:\VundoFix Backups>> 2009-10-24 08:04- so it appears that program was run.

    Stealth MBr Rootkit:
    Driver\atapi IRP hooks detected !


    I don't know where to start! There is so much junk on the system, cleaning and keeping it safe is going to be a big problem! If you want to try it, get an AV program:
    Both of the following programs are free and known to be good:
    Avira Free
    Avast Home

    Then start removing the entries as I have instructed.


    Please reopen HijackThis to 'do system scan only'. Check each of the following if present:

    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
    O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: ipp - (no CLSID) - (no file)
    O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
    O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
    O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
    O18 - Protocol: msdaipp - (no CLSID) - (no file)
    O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
    O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll


    Close all Windows except HijackThis and click on "Fix checked."


    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Run> type in msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:

    All processes related to Brother scanner
    Paper Port
    Adobe PhotoShop
    Canon camera
    Adobe Reader
    Java


    To help you identify the Command Line for the process, please refer to the image below- hold left mouse button down on the crosshair and move the frame dividing line to the right. This will expand the column.
    http://img116.imageshack.us/img116/5327/msconfigyd9.jpg

    When finished: Apply> OK

    Click on Start> Run> type in services.msc> double click on each Service and set Startup type as indicated:

    AdobeActiveFileMonitor-Manual
    Ati HotKey Poller - Manual
    brmfrmps (Brother Popup Suspend service for Resource manager) Manual OR Disable
    brsvc01a.exe- Manual
    CALMAIN.exe- Manual
    CCALib8- Manual
    FNPLicensingService- Manual
    gusvc ( Google Updater\GoogleUpdater)- Disable
    IDriverT- Manual
    InCDsrv- Manual
    iPodService- Manual
    jqs.exe (Java Quick Starter)- Disable
    NICSer_WPC54G- Manual


    Recommend Disable Startup Type for both: see http://en.wikipedia.org/wiki/INCA_Internet
    npkcmsvc - (INCA Internet)
    npkcsvc - (INCA Internet)


    When finished> OK> Apply> OK. Close Services

    Reboot into Normal Mode: NOTE: you will get a nag message the first time you boot back into Normal Mode. You can ignore and close the message after checking 'don't show this message again.' STAY in Selective Startup.

    When you have finished the above, you need to review all of the Active X Objects running. these are the 016 entries and they can expose the system to vulnerabilities. There are way too many of them. To check:

    Open IE> Tools> Manage add-ons> review each of these entries. Identify each. Determine is using or needed. Disable a many as you can.

    Then give me a new HijackThis log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.