Completed 8 step removal - log files attached

LO1109 · Dec 8, 2008

Hi,

Thank you in advance for checking out the attached log files. Hopefully they are clean and good to go.

Our home computer began having problems with Vundo and Fraudloa.cx about 2 weeks ago. The computer is mainly used by teens for homework, social networking, itunes, etc.

I completed the 8 steps on the website.

Thanks again for the help.

rf6647 · Dec 9, 2008

Observation: More progress is needed.

Your logs show found but unanswered items - React to unanswered items appearing in scan logs
NO Action’ - Remove Selected when offered by MBAM
'Delete on Reboot’ - Restart the computer after concluding the scan

[*]e.g. "C:\WINDOWS\system32\mfmpabooamlepal.dll (Adware.BHO) -> Delete on reboot"

Continue with guide.

Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scan program

Update both MBAM & SAS. Rerun them both.
This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
- Typically extra repeat scans are not needed
.
Posts logs. Report progress & what changes are observed. Include logs that found infections.

kimsland · Dec 9, 2008

rf6647 said:
Observation: More progress is needed.

NO Action’ - Remove Selected when offered by MBAM

.

No it doesn't. It says entries removed and quarantined

But I'm more concerned about Spyware Doctor and Registry Mechanic in the Windows startup list

Actually the member is best to remove most of the many o4 entries, before continuing. There are just too many, to then start scanning with other tools
Wouldn't you think this would be best advised first?

rf6647 · Dec 9, 2008

kimsland said:
....But I'm more concerned about Spyware Doctor and Registry Mechanic in the Windows startup list .....Actually the member is best to remove most of the many o4 entries, before continuing. There are just too many, to then start scanning with other tools
Wouldn't you think this would be best advised first?

Kimsland, I am pretty much 1-dimensional these days. I 'm just geared toward moving members through the scans. I focus on cleaning the infestations.

I am all for methodology. We all benefit from sharing techniques and discoveries. If there is some way of holding up 'examples' or 'case studies' from what happens here, it would improve functioning for everyone.

While one goal could be a well-rounded specialist, another means to the same goal is to partition the effort among the team.

Since your perspective is more global than mine, I lack an appreciation for considering the burden of startups in general, and specific applications with borderlne practices (foistware).

As the saw goes - oz. of prevention versus the proverbial lb. of cure. Another saw - let's close the barn door. Please help with the startups.

My findings: 5 hits in MBAM log

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmalodamapesep (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ecowubucu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\yapfieztalboz.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mfmpabooamlepal.dll (Adware.BHO) -> Delete on reboot.

My view: There is a fine line between ‘nanny’ and ‘ninny’

best to remove most of the many o4 entries, before continuing. There are just too many
computer is mainly used by teens
personal habits of members cannot be broken easily.

Tweaking for the Updated 8-Steps

Unanswered items – ‘delete on reboot’, ‘Removed Selected’
Before posting Scans – take them to ‘clean’ or ‘something it cannot clean’

LO1109 · Dec 10, 2008

Hi - Thank you both for your replies. The computer seems to be working OK right now although I know that may be misleading. If there is something I should do from this point, please share that information with me. I am happy to delete the 04 items although I'm not sure how to go about doing so. I can also rerun the scans and repost the logs if that is helpful.

I added the registry mechanic and spydoctor in response to the problems we've been having the past couple of weeks. I had been running Trend-micro the whole time however. If there are better packages out there I'd be happy to hear about them and uninstall what I am currently using. At this point, I'll uninstall the Registry Mechanic and Spy doctor since they seem redundant.

Thanks again for your attention. I appreciate your guidance!

rf6647 · Dec 11, 2008

Draft Draft Draft - Started - Dec. 10, 2008 - Draft Draft Draft

How to Manage Startup Applications Using HiJackThis

HJT Capabilities

HiJackThis is a useful tool for managing startup applications.
HJT log is a convenient listing of startup (O4) applications.
HJT 'tick & fix' has the ability to eliminate programs from running at startup
Changes can be reversed (a.k.a. - undo)
O4 items appear in msconfig > startup

HJT Usage

Tick & Fix - Same effect as regedit
- Main Menu > System Scan Only > tick items to be fixed > Fix Checked
Undo From Advance Menu
- > other stuff > Config > Backups > tick items

Global Startup -

Shortcuts to applications
- appearing in startup folders: Right click 'Start' > 'explore'
HJT has the same effect as manual deletes
- Individual user
- All users
- Default user

Tick & Fix

Code:

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

Control From Application – recommend decline startup

Code:

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe (User 'Kids')
O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Kids')
O4 - S-1-5-21-2986887021-3910996275-176885219-1011 Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matt\Local Settings\Temp\{BA212BCB-99AB-47AD-B0F9-05A0F51DC7DE}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe (User 'Matt')
O4 - S-1-5-21-2986887021-3910996275-176885219-1011 User Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Matt\Local Settings\Temp\{BA212BCB-99AB-47AD-B0F9-05A0F51DC7DE}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe (User 'Matt')

Control From HJT – any item above lacking tick box to remove from startup

Code:

HJT >  Tick & Fix
* Equivalent to using msconfig > startup tab 
* Other usage removes ‘orphaned’ items appearing in msconfig / startup

Dirty Startup - - Control from the application is the only way to prevent re-occurrence here.

Code:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Kids')

Untouchable - - Keyboard shortcuts are included - actually it's user's choice

Code:

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" –hide
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

special case – system generated. OK to eliminate? Do not know.

Code:

O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kids')
O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Conor')
O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Matt')
O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')

Let MBAB & SAS Decide this one.

Code:

O4 - HKUS\S-1-5-21-2986887021-3910996275-176885219-1010\..\Run: [Cmalodamapesep] rundll32.exe "C:\WINDOWS\ecowubucu.dll",e (User 'Conor')

Technical References:
HJT Tutorial
bleepingcomputer / startups/
castlecops /StartupList

kimsland · Dec 11, 2008

Best reply post I've ever seen :grinthumb

Completed 8 step removal - log files attached

LO1109

Attachments

rf6647

Posts: 823 +3

kimsland

Posts: 13,806 +3

rf6647

Posts: 823 +3

LO1109

rf6647

Posts: 823 +3

kimsland

Posts: 13,806 +3

Similar threads

Latest posts