Solved 8 steps followed, please look at logs

[Corteil]

Hi,
had some trouble with my laptop, IE was hijacked and had a fake Anti-virus software installed. plus other evil software installed, Microsoft security essentials gives a clean bill of health. have passed, attached logs from the 8 steps

Malwarebytes Anti-Malware log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4024

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/04/2010 02:56:36
mbam-log-2010-04-23 (02-56-36).txt

Scan type: Quick scan
Objects scanned: 114429
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.



GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-23 07:37:34
Windows 5.1.2600 Service Pack 3
Running: w6eme5zk.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\pfloqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

? dxdipsrq.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[4640] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\BTHUSB \Device\000000a4 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a6 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 97F00D20
Device 97EFD7B4

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@0023453465b0 0x4B 0xDA 0x3E 0xDB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ccd6922 0x85 0x2C 0x4C 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ce74068 0xB9 0x88 0x2A 0x24 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@0023453465b0 0x4B 0xDA 0x3E 0xDB ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ccd6922 0x85 0x2C 0x4C 0x2D ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ce74068 0xB9 0x88 0x2A 0x24 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}@pafdbebfnjoeibcfbaopbnimbgkmamhj 0x69 0x61 0x65 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}@oapfdjhcmekiigjabmcefeiadfhioe 0x69 0x61 0x65 0x64 ...

---- EOF - GMER 1.0.15 ----

both DDS logs: DDS.txt and Attach.txt are attached because of their size


Thank you for your time looking at this

Brian

 

[Corteil]

I should had said I am using XP pro on my laptop

once again Thank you for your time

Brian

 

[Bobbye]

Welcome to TechSpot Brian. I'll help with the malware. While I finish checking these logs, please run the following:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave those logs for me and I'll see what needs to be removed.

 

[Corteil]

new log files

Bobbye,

thank you for your time, I have followed your instructions and have included the Eset log file below and attached the log file from Combofix




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ca7fd5ab76371c4e8c98956071fe3c92
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-24 01:58:05
# local_time=2010-04-24 02:58:05 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 12489028 12489028 0 0
# compatibility_mode=5891 16776869 100 100 4787 12305262 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=77541
# found=1
# cleaned=0
# scan_time=5203
C:\Documents and Settings\Brian\My Documents\Downloads\IPDesignToolSetup\IPDesignToolSetup.exe a variant of Win32/Induc.A virus 00000000000000000000000000000000 I

 

[Bobbye]

Thank you for your patience Brian. Go ahead and run this while I write the script for Combofix.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\Brian\My Documents\Downloads\IPDesignToolSetup\IPDesignToolSetup.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Corteil]

Once again Bobbye, thank you for your time, in helping me with this. There is the log you requested.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Brian\My Documents\Downloads\IPDesignToolSetup\IPDesignToolSetup.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Brian
->Temp folder emptied: 1234064 bytes
->Temporary Internet Files folder emptied: 5705052 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 37997953 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 434 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes

User: NetworkService
->Temp folder emptied: 3622 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50636248 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 91.00 mb


OTM by OldTimer - Version 3.1.10.2 log created on 04242010_225802

Files moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temp\SQL.LOG moved successfully.
File move failed. C:\WINDOWS\temp\SQL.LOG scheduled to be moved on reboot.

Registry entries deleted on Reboot...


thanks

Brian

 

[Bobbye]

Okay, Speedy! How is the system running now? Go ahead with this:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\MtxVxd.sys
c:\windows\system32\Drivers\NvtSp50.sys

Folder::
c:\program files\ophcrack
c:\documents and settings\Brian\Local Settings\Application Data\hynyuwaah

Registry::
RegNull:
[HKEY_USERS\S-1-5-21-3191962127-1526828786-1711201123-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}*]

Driver::
MtxVxd
NvtSp50

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
And please run a HijackThis scan and leave that log. We're almost through!

Please download HijackThis HERE.

• Save it to a permanent folder (such as C:\HJT).
• Open HijackThis, and select Do a system scan and save a logfile.
• A Notepad document will open. Please post the contents of that document.

 

[Corteil]

There seems to be some improvement. please find the files you requested attached.

thanks

Brian.corteil

 

[Bobbye]

Please run this:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\SBREDrv.sys
c:\windows\system32\2819083972.dat
c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
c:\windows\system32\2819083972.dat
c:\program files\bitcomet\BitComet.exe/AddLink.htm
c:\program files\bitcomet\BitComet.exe/AddVideo.htm
c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
c:\\Documents and Settings\\Brian\\Desktop\\Desktop\\SConfigurator_Generic503.exe

Process::
c:\windows\ia\command.exe
c:\windows\ia\KE.vbs

Folder::
c:\windows\383dvc6k38a40aq9icbxjclw.ini
c:\program files\bitcomet\BitComet

Registry::
RegNull::
[HKEY_USERS\S-1-5-21-3191962127-1526828786-1711201123-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}*]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Let me know how the system is doing now.

At your leisure, consider removing this: Dell Control Point:
http://dell-controlpoint-connection-manager.software.informer.com/

 

[Corteil]

Bobbye, once again thank you for your continued support, I have attached the log file requested and remove Dell Control Point, my laptop seems to be running OK now, feels normal.

 

[Bobbye]

You're very welcome. Glad to help.

Brian, do you know what this is? 2010-04-26 08:28: C:\AdemTech
I find information regarding nano and immunotechnology- but I didn't find anything for a computer system.

I set up the following to remove the remaining Dell Control Point entries. You don't have to submit the log:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe

Folder::
Registry::

Driver::
dcpsysmgrsvc
DellConnectionManager
USCService
DellControlPoint
Dell ControlPoint System Manager

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt .

If the malware problems have been resolved, you can go ahead with Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if I can be of more help in the future.

 

[Corteil]

yes, I know what it is

2010-04-26 08:28: C:\AdemTech

Is a program for programming Honeywell Intruder Alarm panels. I had to install it on Monday, to backup a panel I need to change.

Brian

 

[Bobbye]

No problem- just part of my job!