Solved [Active] Compaq laptop with malware problems

[Chivas]

At least that's what it seems, everytime I log into MSN Messenger a message appears that someone added me. However, if I log into MSN Messenger from another computer then that message does not appear, unless, of course, someone really did add me.

Also, sometimes will try to "Install Adaptec CD Creator" when I'm on Windows Explorer.

I ran the Malware Removal Instructions. Here's what I did:

1.- Uninstalled AVG Antivirus, already expired.
2.- Installed Avira Antivirus.
3.- Uninstalled Spybot Search and Destroy. Already didn't use it.
4.- Ran CCleaner. I know this tool isn't included in the Malware Removal any more, but I find it useful.
5.- Followed Instructions according to the Malware Removal.

Issue I had:

- The GMER would crash in Normal Mode, had to run it with the "Devices" tabs unchecked.

Here are the logs of MBAM, GMER and DDS.

I'm using Windows XP, 2nd Service Pack (or something like that), the Laptop is 5-6 years old, but it works fine except for those details and the fact that it is somewhat slow.

Any help appreciated. Thanks.

 

[Broni]

Please, repost both DDS logs from normal mode.

When done....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Chivas]

Oops, sorry for that, I did ran DDS on Safe Mode, that was after GMER caused the Computer to Crash and I restarted in Safe Mode... I went on with the steps and did the DDS step before the GMER one.

Later I ran GMER in Normal Mode with "Devices" Tab Unchecked...

Either way, here are the logs of DDS in Normal Mode and the Combofix log...

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
c:\documents and settings\All Users\Application Data\Avg7

AWF::
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe
c:\windows\system32\bak\ctfmon.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Chivas]

Done.

The Program rebooted the computer, by the way.

Here's the log.

By the way, just right now the WinPatrol detected this service file that has been added... cryptsvc.dll

Apparently is from Microsoft... is this OK?

 

[Broni]

Good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Chivas]

Done. Here are the .txt files.

 

[Broni]

I see, I didn't answer your question.
cryptsvc.dll is a safe file.

======================================================================

Your computer would greatly benefit from adding another 512MB of RAM.

======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
  O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe File not found
  O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe File not found
  O4 - HKLM..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} https://update3.globalhauri.com/Custom/LiveSuite/BANAMEX/web/HLiveRobotWeb.cab (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38191.2980208333 (Reg Error: Key error.)
  O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
  O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
  O29 - HKLM SecurityProviders - (ntoskrnl.dll) -  File not found
  [2004/12/14 17:23:15 | 000,003,477 | ---- | C] () -- C:\WINDOWS\System32\noyjsgnj.dll
  [2004/12/14 17:23:15 | 000,003,456 | ---- | C] () -- C:\WINDOWS\System32\rsgbbbcc.dll
  [2004/12/14 17:23:15 | 000,003,448 | ---- | C] () -- C:\WINDOWS\System32\mhywsiow.dll
  [2004/12/14 17:23:15 | 000,003,319 | ---- | C] () -- C:\WINDOWS\System32\eqjoieva.dll
  [2004/12/14 17:23:15 | 000,003,293 | ---- | C] () -- C:\WINDOWS\System32\dhaushci.dll
  [2004/12/14 17:23:15 | 000,003,242 | ---- | C] () -- C:\WINDOWS\System32\vjlxegyl.dll
  [2004/12/14 17:23:15 | 000,003,215 | ---- | C] () -- C:\WINDOWS\System32\lzwhrjlo.dll
  [2004/12/14 17:23:15 | 000,003,099 | ---- | C] () -- C:\WINDOWS\System32\xwnbqvnc.dll
  [2004/12/14 17:23:15 | 000,003,087 | ---- | C] () -- C:\WINDOWS\System32\logsnmpw.dll
  [2004/12/14 17:23:15 | 000,003,002 | ---- | C] () -- C:\WINDOWS\System32\rpfuatrq.dll
  [2004/12/14 17:23:15 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\dpaxrdfp.dll
  @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\services.msc:SummaryInformation
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Chivas]

Thanks for answering.

Yep, the file left me wondering.

I updated Java. Downloaded the update application and downloaded it from the internet, I never saw any prompts or check boxes for another applications or additions. Then I removed the older versions.

I ran OTL with the Custom Text you provided me, clicked on Run Fix and worked fine. The program rebooted the computer and created the file.

After that, I ran the Quick Scan. This time, it just created one file: OTL. txt.

Here are the logs.

And good idea about the RAM Memory; as far as I remember, this computer has already an extra RAM Chip. Originally had 256 MB and added another 256 MB. I'm not sure. Either way, I'll check that later.

 

[Broni]

Very good

How is computer running at the moment?

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[Chivas]

Is running OK, a bit slow, but it is expected. There are many programs in here, some of them that are heavy, I'd think... Samsung PC Studio and a Video Converter for PS3 videos... and the hard disk has about 5 GB of free space.

However, overall it seems to me that it has improved. Now it shuts down faster. And seems like the Start Up is a little bit faster as well. Just two questions...

- The Hibernate Option does not longer appear when I choose "Turn Off Computer". The options that appear are "Stand By", "Restart" and "Turn off". Is there a way to make it appear once again?

This is not that important, but it's a detail I noticed.

- OTL created a desktop.ini file on the Desktop. I'm guessing that I should erase it?

I'll proceed with the Instructions, however, I wonder if I should delete the file...

Thanks...

EDIT: Nevermind, I just saw that the file is no longer in there...

 

[Broni]

The Hibernate Option does not longer appear when I choose "Turn Off Computer".

Go into Start > Settings > Control Panel > Power Options. Click on the Hibernate tab, then check the Enable Hibernation check box to enable it.

OTL created a desktop.ini file on the Desktop. I'm guessing that I should erase it?

Open Windows Explorer. Go Tools>Folder options>View tab and make sure, there IS a checkmark in "Hide protected operating system files".

 

[Chivas]

Go into Start > Settings > Control Panel > Power Options. Click on the Hibernate tab, then check the Enable Hibernation check box to enable it.

Ah, OK, thanks.

Open Windows Explorer. Go Tools>Folder options>View tab and make sure, there IS a checkmark in "Hide protected operating system files".

I looked into it and it was already checked. Yet, it appeared when OTL restarted after the fix. But later disappeared when I checked the Desktop again.

The Kaspersky scan couldn't be completed, it ran for about 6 hours and it had about 80% of progress, but then the Internet Service was interrupted...

So far, it didn't detect any infections or malware. Is this step really that important? I might try to run it tomorrow...

Here's the checkup.txt file, by the way.

Thanks.

 

[Broni]

Please, update your Firefox.

Instead of Kaspersky....

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMPORTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[Chivas]

Sorry for the delay, I have been busy with several things.

I ran the scan, but I noted one thing, before running it, the program told me that it detected the Avira Antivirus (which I have installed) and ZoneAlarm... which was surprising, because Zone Alarm isn't installed in here anymore.

Either way, it detected 1 malicious item, it was one of the printer... ??

 

[Broni]

and ZoneAlarm

Probably some registry entry. Don't worry about it.

I suspect, Eset finding is a false positive, but we better check...

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Program Files\hp LaserJet 1010 Series.msi
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[Chivas]

File name:
hp LaserJet 1010 Series.msi
Submission date:
2010-08-17 23:34:25 (UTC)
Current status:
queued (#3) queued (#3) analysing finished
Result:
0/ 37 (0.0%)

It didn't find any virus...

 

[Broni]

Good

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Chivas]

Great. The computer is doing fine, the messages that appeared at MSN telling me that someone "added me" are now gone. Gotta run those last steps to make sure that everything remains fine.

Thanks a lot.

 

[Broni]

Give me a final word, when you're done

 

[Broni]

The issue appears to be resolved.

 

[Chivas]

Yeah, pretty much. I ran MBAM and didn't detect anything. The computer is working fine... I'm thinking of ways to make it somewhat faster, looking for RAM Memory chips that are compatible and whatnot... but, right now, is not urgent.

Thanks a lot for the help.

 

[Broni]

Good ........