Finished the 8 steps after virus

[samsquanch]

Foolishly downloaded some software and got hijacked. Ended up with a virus warning message as my screen background, locked out of changing it. Got a pop up warning in my tool tray with a virus warning, and random opening of Firefox and IE to a "antivirus website" to fix the problem.

Spybot, Norton 360, and Registry Mechanic did not resolve the problem run in safe mode. I stumbled across this site and the eight steps and followed them. The problem appears to be resolved by following the process however appearances can be deceiving. Attached are my logs.

Thanks so much for the help.

 

[rev_olie]

Hi,
You have some very strange entries on there. I'm not returning any results for them.
Download and run Sdfix.
The user guide and download can be found Here

Then update and re run SAS and Malwarebytes with a fresh hijack this log.

 

[kritius]

Please download ATF Cleaner by Atribune.

• 
  
  Double-click ATF-Cleaner.exe to run the program.
  
  Under Main choose: Select All
  
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
  Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  
  Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

• Open a folder window (for example, double-click My Computer).
  
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  
• You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
  

Now run HJT again and post the log back along with the SDFix report that Ollie asked for.

 

[rev_olie]

Haha ive been franticly running around for ATF cleaner, i forgot the name so im glad you said that kritius

 

[kritius]

No problem

 

[samsquanch]

Thank you Kritius and Olie,

Updated again and ran Malawarebytes and SAS again, downloaded ATF Cleaner and ran that followed by HJT. Attached are the new logs.

I appreciate the assistance.

 

[kritius]

Please run the NORTON REMOVAL TOOL

Please download ONE of the following antivirus programs and install it.

• Avast:
  
• Avira:
  

Once installed, Update it, run full system scan with it and allow it to fix up what it wants.

Reboot if it fixed anything.

You should get a firewall as well, either,

• Comodo
  
• Kerio
  
• Online Armor
  
• Zonealarm
  

Fix entries using HiJackThis

• Launch HiJackThis
  
• Click the Do a system scan only button
  
• Put a check next to the entries listed below
  

O4 - HKCU\..\Run: [xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\oeruj897r2dm5.exe
O4 - HKCU\..\Run: [ycdaan0lzzozniru4y8gisetm4tfizi36n1rd1b] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\a6o422nixbw.exe
O4 - HKCU\..\Run: [tj13zbrf5ogzt8ez0id6b4v30] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\qlx84pv3gqtk0.exe
O4 - HKCU\..\Run: [jf8fuf1d4o1q7lojbpomqc19zu3xh3n1i21oe7tlifq2p] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ng5p2l.exe
O4 - HKCU\..\Run: [e6bvbu7bu25gmw55j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\z4g3hvy.exe
O4 - HKCU\..\Run: [lln7yymhyqig2npkz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\n2d92j50au7.exe
O4 - HKCU\..\Run: [p5dkkt7vo] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gdpbimlgd11.exe
O4 - HKCU\..\Run: [ujioc5ber72q] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mqxg0ksdyf.exe
O4 - HKCU\..\Run: [z5ke7vpm95k0zjphny6] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\v8unhv2v6kc.exe
O4 - HKCU\..\Run: [fmunm5yi68k7zc3iinyfcpkk1n] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xssxosy.exe
O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\i6zge37bkyr.exe
O4 - HKCU\..\Run: [jqv1kh6tu2ufk8zzdhcfaz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\m0eieb47z.exe
O4 - HKCU\..\Run: [zv4r2ryuq96s7s50evpg] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xmy662p.exe
O4 - HKCU\..\Run: [q8rvrkciixdm4ypvtwp8ud8y7coymdjek985ff0h41oh] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\nt1v4v1fd.exe
O4 - HKCU\..\Run: [o186201wldvfv3vd4p49gzn9juvx] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\kzt1wbb1mg.exe
O4 - HKCU\..\Run: [be2v8ul2j4n9xzyiusu30lwqt9na2ncjav] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\u1vqn5oxf.exe
O4 - HKCU\..\Run: [xejisrtbnq9ae9qhun45y4wa5vzgecv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\sac1kghzzg8.exe
O4 - HKCU\..\Run: [gg0zendarviv9e2td93te] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\j6284o89h.exe
O4 - HKCU\..\Run: [fw954ay9rczdrakm189vysml5enisl98klisowrrdjjfktbjgy] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\jf834q3796ua.exe
O4 - HKCU\..\Run: [g3y5pwm24pnjtkuv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\uxhfwmx7v4.exe
O4 - HKCU\..\Run: [rxr9lhzb2e0glc79ef74phceej3xvx5j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ueru6yxe.exe
O4 - HKCU\..\Run: [pzfiut9hih4l1sme83gkaf] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ud0ns18lzcym.exe
O4 - HKCU\..\Run: [pgwbgdyu6ns4ia] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mguam1uwoev.exe
O4 - HKCU\..\Run: [n6clmbnuv4x1glejxotugxi7p27rrwvl] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zn8ztd4.exe
O4 - HKCU\..\Run: [pbh3fttzyf8ik5] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\iz6cs0j55q.exe
O4 - HKCU\..\Run: [my2hnhsq2ycjg5019pmfor2i] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zr78nqi.exe
O4 - HKCU\..\Run: [ef4jt05i7u4367p0pbj] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ogttd95h2.exe
O4 - HKCU\..\Run: [ku1vtw6a1ysgntpiim2y06qchlw4lp6cf9b82mc1z] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gq3ag2e6own.exe
O4 - HKCU\..\Run: [vniv32qjug4rsh5kl0x] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\grri6dn4u.exe

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  
• Click the Fix checked button and close HiJackThis
  
• Reboot HijackThis if necessary

Download and Run ComboFix

• Download this file to your desktop from HERE
• Then double click combofix.exe & follow the prompts.
  
• When finished, it shall produce a log for you. Attach that log in your next reply
  

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[samsquanch]

I'm curious, why do you recommend not using Norton 360?

 

[kritius]

Crap detection rates and bloated system usage.

If you want to keep it thats grand but it didn't really work very well up to now did it?

 

[samsquanch]

Thanks for the info, not trying to be difficult, I just like to know the why behind things, it's how I'm wired.

really appreciate your quick help.

 

[kritius]

Thats ok.

Let me know what you decide to do.

 

[Bobbye]

samsquanch, I'd like to make a couple of comments here. Probably the last thing you need is another 'helper' but I want to bring out some points: This is not meant to replace what others have said, but only to give you additional choices:

1. Many here advise users to replace a Norton security program immediately. My thoughts are different. While I am not a supporter of the Norton security programs, I prefer to delay changing the AV or security suite. A user has enough to deal with than removing a program they paid for and replacing it with a free AV & firewall up front. My preference is to do the cleaning and then suggest it be replaced. This doesn't make any of us wrong or right- it's a preference that should be left up to the user.

2. Regarding the following:

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
Symantec categorizes this as follows:
Adware.DAP
Type: Adware
Name: Download Accelerator Plus
Behavior
Adware.DAP is:
* A download accelerator program for Internet Explorer, Netscape, Mozilla, and Opera Web browsers.
* Functions as a media viewer and FTP browser and allows the user to install games.
* Installs a toolbar into the browser (Internet Explorer only).
* Downloads ads to be displayed in the program window.
Note: Registering the application will stop the ads from displaying.

Symptoms
One or more files are detected as Adware.DAP.
Transmission
The Download Accelerator Plus program must be manually installed.
http://www.speedbit.com/Symantec_Security_Response.htm

Because of the Adware connection, I suggest that you remove this.

3. I tried to find some common denominator for the temp document files. I can up with one:
TODDLA~1:

Listen free to Toddla T (manabadman, Manabadman (Andy George Re-Fix)
ALL of those files have TODDLA in them. Did you download music for this source? If so you need to delete it. This included all the files in the 04 category on HijackThis with this as an example:
O4 - HKCU\..\Run: [p5dkkt7vo] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gdpbimlgd11.exe

You can remove the files as mentioned, but you need to locate the source for them. I did notice the following in the SDFix log so it appears that you are downloading music:
Thu 25 Jan 2007 9,506 A.SH. --- "C:\Documents and Settings\Macy Ashby\My Documents\My Music\License Backup\drmv2key.bak"

4. The original SAS log showed Tracking Cookie. To prevent them in the future:
Reset Cookies:

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies section> CHECK 'allow Cookies'> UNCHECK 'allow third party Cookies'.
Install the following add-ons to Firefox:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

I won't handle the other entries, but thought this might be a helpful addition for you.

 

[samsquanch]

Kritius,

Took your advice, more protection, less system usage - seems an easy decision.

Uninstalled Norton 360, Intalled Avast and Comodo Firewall updated each and ran a scan, some items were detected and fixed. Restarted computer.

Used Hijack This to remove the listed items, Ran ComboFix, attached is the log from combofix.

Bobbye,

Thank you for also offering some insight in to the situation.

I'll be uninstalling DAP and changing the cookies setting as you suggest.
As far as I know we only download music via iTunes, though it's possible a house guest may have downloaded from somewhere else.

 

[kritius]

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
  
• Click "Open Uninstall Manager"
  
• Click "Save List" (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.

You have BitLord installed, I would get rid of it.

Can you also post a fresh HJT this log?

Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  
• Choose Exit Spybot S&D Resident
  

Second:

• Open Spybot S&D
  
• Click Mode, check Advanced Mode
  
• Go To Left Panel, Click Tools, then also in left panel, click Resident
  
• If your firewall raises a question, say OK
  
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  
• Use File, Exit to terminate Spybot
  
• Reboot your machine for the changes to take effect.
  

Once your log is clean you can re-enable those settings in TeaTimer.


Download random's system information tool (RSIT) by random/random from HERE and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
  
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.
  

 

[samsquanch]

All suggestions and steps followed, attached are the logs.

 

[kritius]

I'll look over them and post back later. Quite a few things that I want to get rid of.

 

[samsquanch]

I'll likely be off for the rest of the day, I'll get after the actions you recommend in the morning here.

 

[kritius]

Part 1

Go to Add/remove programs and remove the following.

GearDrvs
GemMaster Mystic
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
RegCure 1.5.2.7
Registry Mechanic 8.0


Fix entries using HiJackThis

• Launch HiJackThis
  
• Click the Do a system scan only button
  
• Put a check next to the entries listed below
  

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\oeruj897r2dm5.exe
O4 - HKCU\..\Run: [ycdaan0lzzozniru4y8gisetm4tfizi36n1rd1b] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\a6o422nixbw.exe
O4 - HKCU\..\Run: [tj13zbrf5ogzt8ez0id6b4v30] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\qlx84pv3gqtk0.exe
O4 - HKCU\..\Run: [jf8fuf1d4o1q7lojbpomqc19zu3xh3n1i21oe7tlifq2p] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ng5p2l.exe
O4 - HKCU\..\Run: [e6bvbu7bu25gmw55j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\z4g3hvy.exe
O4 - HKCU\..\Run: [lln7yymhyqig2npkz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\n2d92j50au7.exe
O4 - HKCU\..\Run: [p5dkkt7vo] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gdpbimlgd11.exe
O4 - HKCU\..\Run: [ujioc5ber72q] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mqxg0ksdyf.exe
O4 - HKCU\..\Run: [z5ke7vpm95k0zjphny6] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\v8unhv2v6kc.exe
O4 - HKCU\..\Run: [fmunm5yi68k7zc3iinyfcpkk1n] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xssxosy.exe
O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\i6zge37bkyr.exe
O4 - HKCU\..\Run: [jqv1kh6tu2ufk8zzdhcfaz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\m0eieb47z.exe
O4 - HKCU\..\Run: [zv4r2ryuq96s7s50evpg] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xmy662p.exe
O4 - HKCU\..\Run: [q8rvrkciixdm4ypvtwp8ud8y7coymdjek985ff0h41oh] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\nt1v4v1fd.exe
O4 - HKCU\..\Run: [o186201wldvfv3vd4p49gzn9juvx] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\kzt1wbb1mg.exe
O4 - HKCU\..\Run: [be2v8ul2j4n9xzyiusu30lwqt9na2ncjav] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\u1vqn5oxf.exe
O4 - HKCU\..\Run: [xejisrtbnq9ae9qhun45y4wa5vzgecv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\sac1kghzzg8.exe
O4 - HKCU\..\Run: [gg0zendarviv9e2td93te] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\j6284o89h.exe
O4 - HKCU\..\Run: [fw954ay9rczdrakm189vysml5enisl98klisowrrdjjfktbjgy] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\jf834q3796ua.exe
O4 - HKCU\..\Run: [g3y5pwm24pnjtkuv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\uxhfwmx7v4.exe
O4 - HKCU\..\Run: [rxr9lhzb2e0glc79ef74phceej3xvx5j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ueru6yxe.exe
O4 - HKCU\..\Run: [pzfiut9hih4l1sme83gkaf] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ud0ns18lzcym.exe
O4 - HKCU\..\Run: [pgwbgdyu6ns4ia] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mguam1uwoev.exe
O4 - HKCU\..\Run: [n6clmbnuv4x1glejxotugxi7p27rrwvl] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zn8ztd4.exe
O4 - HKCU\..\Run: [pbh3fttzyf8ik5] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\iz6cs0j55q.exe
O4 - HKCU\..\Run: [my2hnhsq2ycjg5019pmfor2i] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zr78nqi.exe
O4 - HKCU\..\Run: [ef4jt05i7u4367p0pbj] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ogttd95h2.exe
O4 - HKCU\..\Run: [ku1vtw6a1ysgntpiim2y06qchlw4lp6cf9b82mc1z] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gq3ag2e6own.exe
O4 - HKCU\..\Run: [vniv32qjug4rsh5kl0x] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\grri6dn4u.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...0000049.000000d2&c=00000082.000000e6.0000026f

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  
• Click the Fix checked button and close HiJackThis
  
• Reboot HijackThis if necessary

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Folder::
  C:\Program Files\RegCure
  C:\Program Files\BitLord
  C:\Documents and Settings\All Users\Application Data\Symantec
  C:\Documents and Settings\Todd Larson\Application Data\Symantec
  C:\Program Files\DAP
  
  
  Registry::
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb"=
  "ycdaan0lzzozniru4y8gisetm4tfizi36n1rd1b"
  "tj13zbrf5ogzt8ez0id6b4v30"=
  "jf8fuf1d4o1q7lojbpomqc19zu3xh3n1i21oe7tlifq2p"=
  "e6bvbu7bu25gmw55j"=
  "lln7yymhyqig2npkz"=
  "p5dkkt7vo"=
  "ujioc5ber72q"=
  "z5ke7vpm95k0zjphny6"=
  "fmunm5yi68k7zc3iinyfcpkk1n"=
  "axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr"=
  "jqv1kh6tu2ufk8zzdhcfaz"=
  "zv4r2ryuq96s7s50evpg"=
  "q8rvrkciixdm4ypvtwp8ud8y7coymdjek985ff0h41oh"=
  "o186201wldvfv3vd4p49gzn9juvx"=
  "be2v8ul2j4n9xzyiusu30lwqt9na2ncjav"=
  "xejisrtbnq9ae9qhun45y4wa5vzgecv"=
  "gg0zendarviv9e2td93te"=
  "fw954ay9rczdrakm189vysml5enisl98klisowrrdjjfktbjgy"=
  "g3y5pwm24pnjtkuv"=
  "rxr9lhzb2e0glc79ef74phceej3xvx5j"=
  "pzfiut9hih4l1sme83gkaf"=
  "pgwbgdyu6ns4ia"=
  "n6clmbnuv4x1glejxotugxi7p27rrwvl"=
  "pbh3fttzyf8ik5"=
  "my2hnhsq2ycjg5019pmfor2i"=
  "ef4jt05i7u4367p0pbj"=
  "ku1vtw6a1ysgntpiim2y06qchlw4lp6cf9b82mc1z"=
  "vniv32qjug4rsh5kl0x"=

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

[kritius]

Part 2

Please download ATF Cleaner by Atribune.

• 
  
  Double-click ATF-Cleaner.exe to run the program.
  
  Under Main choose: Select All
  
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
  Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  
  Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

• Open a folder window (for example, double-click My Computer).
  
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  
• You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
  

FindAWF



Download FindAWF.exe and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
  
• It will open a command prompt and ask you to Press any key to continue.
  
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  
• It may take a few minutes to complete so be patient.
  
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  
• Attach the AWF.txt file in your next reply.
  

Post back with the ComboFix log, FindAWF and a fresh HijackThis log

EDIT////////////

ComboFix really should have gotten rid of those 04 entries. If they are still there then we'll have to try something else.

 

[kritius]

Bobbye,

ALL of those files have TODDLA in them. Did you download music for this source?

I believe that this is the ops name.

 

[Bobbye]

kritius, I consider that and it might be the 'guest' that was referred to.

samsquanch, is this -TODDLA~1he name of the person whose documents have these entries?
O4 - HKCU\..\Run: [xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\oeruj897r2dm5.exe\LOCALS~1\Temp\oeruj897r2dm5.exe

Interestingly, I found another user with similar entries- unless sam also posted in AfterDawn- I didn't go through all of them:
Troonus Newbie25. February 2009 @ 06:30 _

This has same 'exe as sam:
O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TROY~1.TRO\LOCALS~1\Temp\i6zge37bkyr.exe
http://forums.afterdawn.com/thread_view.cfm/752173

sam's:
O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\i6zge37bkyr.exe

What is puzzling is the word is in all caps and each has the numerical designation:
TODDLA~1 or TROY~1.TRO... strange! The second 'name' is also from Shakespeare!

 

[kritius]

I have seen cases of this where unistalling ComboFix and then downloading and renaming will catch a lot of this.

It's a bit similar to the Adebot infection a while ago except a lot more stubborn and crafty

 

[samsquanch]

Kritius,

Attached is the combofix log file from the script. Geardrvs was not in the add/remove programs list, I could not locate it on the hard drive, as such it was not uninstalled. All other programs listed were uninstalled.

I'll be moving forward with Part 2, ATF cleaner and Find AWF

Attached are the find awf and fresh HJT log.

oops, attached are the files.

 

[kritius]

That looks a lot better.

Can I see the ComboFix log?

How is the computer acting now?

 

[samsquanch]

Kritius,

Attached is the combo fix log, sorry I thought I had attached it earlier.
The computer seems to be running fine at this point, not getting any warnings out of Comodo or Avast, and all of the initial symptoms are gone.