Edited by benwizz, 20 September 2009 - 07:31 PM.
[Resolved] hijack.windowsupdates virus
#1
Posted 20 September 2009 - 07:12 PM
Register to Remove
#2
Posted 21 September 2009 - 02:58 PM
Please run a DDS scan followed by RootRepeal for me.
Download and run DDS
We need to see some information about what is happening in your machine. Please perform the following scan:
- Download DDS by sUBs from one of the following links. Save it to your desktop.
- Double click on the DDS icon, allow it to run.
- A small box will open, with an explanation about the tool. No input is needed, the scan is running.
- Notepad will open with the results soon.
- Follow the instructions that pop up for posting the results and then click Ok.
- The black and message box window shall then disappear.
- Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
Download and run RootRepeal CR
Please download RootRepeal from the following location and save it to your desktop.
- Direct Download (Recommended)
- Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
- Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
- Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
- Physically disconnect your machine from the internet as your system will be unprotected.
- Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
- Click the tab at the bottom.
- Now press the button.
- A box will pop up, check the boxes beside All Seven options/scan area
- Now click OK.
- Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
- The scan will take a little while to run, so let it go unhindered.
- Once it is done, click the Save Report button.
- Save it as RepealScan and save it to your desktop
- Reconnect to the internet.
- Post the contents of that log in your reply please.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#3
Posted 21 September 2009 - 07:50 PM
Attached Files
Edited by benwizz, 22 September 2009 - 08:09 PM.
#4
Posted 22 September 2009 - 02:29 PM
E-mail address, good that you edited out to avoid any spams but your username for your computer I would like to see as that helps locate path locations etc... HOWEVER, if you really don't wish to or feel comfortable to reveal it, I won't mind and can deal with it alternatively. Won't make too much of a difference.
Therefore, for the next time I tell you to run a scan, if you don't wish to show your username for the computer then you can edit out.
Please start with Combofix.
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.
Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#5
Posted 22 September 2009 - 08:48 PM
ComboFix 09-09-22.02 - Benjamin Wilson 23/09/2009 3:39.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2039.1225 [GMT 1:00]
Running from: c:\documents and settings\Benjamin Wilson\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2008 OEM 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: F-Secure Internet Security 2008 OEM 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2646128191-4278396063-327579688-500
c:\recycler\S-1-5-21-335370264-2223378490-1093374705-500
c:\recycler\S-1-5-21-4252882061-2612516342-826687114-500
c:\recycler\S-1-5-21-593153778-2049585034-1883489503-500
c:\windows\Installer\$PatchCache$\Managed\6ACA9EFE6506DC043852E0B02EBC26B2\8.1.0\html.ini2
c:\windows\Installer\2cb25b9.msi
c:\windows\Installer\73ffa9d.msp
c:\windows\Installer\b64798d.msi
c:\windows\Installer\b64798e.msp
c:\windows\Installer\b64798f.msp
c:\windows\Installer\b647990.msp
c:\windows\Installer\b647991.msp
c:\windows\Installer\b647992.msp
c:\windows\Installer\b647993.msp
c:\windows\Installer\b647994.msp
c:\windows\Installer\b647995.msp
c:\windows\Installer\b647996.msp
c:\windows\Installer\b647997.msp
.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.
2009-08-29 23:52 . 2009-08-29 23:52 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\Malwarebytes
2009-08-29 23:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 23:51 . 2009-09-21 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 23:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 23:51 . 2009-08-29 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 23:32 . 2009-08-29 23:32 -------- d-----w- c:\windows\system32\wbem\Repository
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 01:15 . 2008-09-09 16:50 -------- d-----w- c:\program files\uTorrent
2009-09-21 01:19 . 2008-09-08 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HDD Thermometer
2009-09-05 23:20 . 2008-12-08 19:58 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\skypePM
2009-09-05 23:20 . 2008-12-08 19:56 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\Skype
2009-08-29 23:32 . 2008-09-09 16:50 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\uTorrent
2009-08-29 15:28 . 2008-09-11 12:05 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\LimeWire
2009-08-29 08:33 . 2008-09-04 09:31 85016 ----a-w- c:\documents and settings\Benjamin Wilson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 22:55 . 2009-02-25 22:33 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\Spotify
2009-08-23 10:35 . 2007-05-31 15:18 85016 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 08:30 . 2009-08-13 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-22 08:30 . 2009-08-13 17:37 -------- d-----w- c:\program files\NOS
2009-08-18 20:41 . 2009-08-18 20:40 -------- d-----w- c:\program files\mpTrim
2009-08-12 21:09 . 2007-05-31 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:01 . 2007-05-30 08:13 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 22:50 . 2008-02-29 19:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 19:01 . 2007-05-30 08:12 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2007-05-30 08:13 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2007-05-30 08:13 915456 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"rsd_hddthermo"="c:\program files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 215040]
"toscdspd"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"thpsrv"="c:\windows\system32\thpsrv" [X]
"00thotkey"="c:\windows\system32\00THotkey.exe" [2006-08-07 253952]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-05-17 140568]
"acronistimountermonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2008-05-17 909248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ddwmon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"dputil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-08-05 155648]
"f-secure manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2007-05-25 183208]
"f-secure tnb"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 740208]
"hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"psqllauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"smoothview"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"ssbkgdupdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"taudeffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]
"tmerzctl.exe"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-09-04 90112]
"tmesrv.exe"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2006-03-06 114688]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]
"toshkcw.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"touched"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-08-31 102400]
"trueimagemonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2008-05-17 1326392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000stthk"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"rthdcpl"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
"tfncky"="TFncKy.exe" [BU]
"tfnf5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]
"tosdcr"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]
"tpsmain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2007-04-18 299008]
"tpsoddctl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2007-04-18 102400]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Directrec Configuration Tool.lnk - c:\program files\Olympus\DeviceDetector\DirectrecConfig.exe [2008-9-4 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 16:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 02:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [04/09/2008 12:22 51040]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [22/03/2007 13:07 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [09/03/2007 15:23 6528]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\F-Secure Internet Security\HIPS\fshs.sys [04/09/2008 12:22 41184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [30/05/2007 16:23 5888]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [05/05/2006 17:33 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [30/05/2007 16:23 114688]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [04/09/2008 12:21 77824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/05/2007 16:10 35968]
S2 gupdate1c9d3663877047e;Google Update Service (gupdate1c9d3663877047e);c:\program files\Google\Update\GoogleUpdate.exe [13/05/2009 02:00 133104]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 13:29 162176]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [14/12/2007 19:04 551680]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [30/05/2007 16:26 435072]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [04/09/2008 12:21 40048]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [04/09/2008 12:21 25456]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 01:00]
2009-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 01:00]
2009-09-22 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-SECU~1\ANTI-V~1\fsav.exe [2008-09-04 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/skynews
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Benjamin Wilson\Application Data\Mozilla\Firefox\Profiles\os6m0tqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.sky.com/skynews
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-opagent - OpAgent.exe
HKLM-Run-pointer - point32.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 03:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\F-Secure Internet Security\FWES\Program\fsdc.dll
c:\program files\Protector Suite QL\mysafe.dll
- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\relog_ap.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\F-Secure Internet Security\FWES\Program\fsdc.dll
- - - - - - - > 'csrss.exe'(868)
c:\program files\F-Secure Internet Security\FWES\Program\fsdc.dll
.
Completion time: 2009-09-23 3:44
ComboFix-quarantined-files.txt 2009-09-23 02:44
Pre-Run: 5,009,453,056 bytes free
Post-Run: 5,011,283,968 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
262 --- E O F --- 2009-08-27 21:34
I've just ran another MBAM scan and no malicious items were detected
#6
Posted 23 September 2009 - 06:50 PM
Glad MBAM didn't detect anything. Still a few things we will do before we are done.
Looks good overall.
Download and Run FlashDisinfector
- Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Update Java to Version 6 Update 16
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
- Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
- Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
- Click the Download button to the right.
- Select your Platform: "Windows".
- Select your Language: "Multi-language".
- Read the License Agreement, and then check the box that says: "Accept License Agreement".
- Click Continue and the page will refresh.
- Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
Run ESET Online Scan
- Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan - Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.
Thanks.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#7
Posted 23 September 2009 - 10:13 PM
Edited by benwizz, 23 September 2009 - 10:19 PM.
#8
Posted 24 September 2009 - 04:13 PM
Could you upload some of those .exe files to me if possible that Malwarebytes detected.
Submit file sample
- Open to the Submission Channel.
- Under Link to topic where this file was requested, input:
http://forums.whatthetech.com/hijack_windowsupdates_virus_t107103.html
- Click Browse and select the >>files MBAM detected. 5-6 files is enough (.exe ones)<< (Do one at a time)
- Under the comments section, say that ExtremeBoy asked for the submission.
- Then select Send File to send it
- After that you should get a confirmation if it was uploaded successfully.
~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#9
Posted 24 September 2009 - 08:56 PM
#10
Posted 25 September 2009 - 09:19 AM
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#11
Posted 26 September 2009 - 09:14 PM
#12
Posted 27 September 2009 - 03:23 PM
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#13
Posted 27 September 2009 - 05:09 PM
Attached Files
#14
Posted 28 September 2009 - 02:39 PM
That looks good.
Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information.
Download and Run OTC
We will now remove the tools we used during this fix using OTC.
- Download OTC by OldTimer and save it to your desktop.
- Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
- Then Click the big button.
- You will get a prompt saying "Being Cleanup Process". Please select Yes.
- Restart your computer when prompted.
Create a New System Restore Point<- Very Important
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then use Disk Cleanup to remove all but the most recently created Restore Point.
- Go to Start > Run and type: Cleanmgr
- Click "Ok"
- Disk Cleanup will scan your files for several minutes, then open.
- Click the "More Options" Tab.
- Click the "Clean up" button under System Restore.
- Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
- Click Yes, then click Ok.
- Click Yes again when prompted with "Are you sure you want to perform these actions?"
- Disk Cleanup will remove the files and close automatically.
System A bit Slow? Try StartupLight
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.
Congratulations! You now appear clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Preventing Infections in the Future
Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
- Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives
When is AUTORUN.INF really an AUTORUN.INF?
USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...
Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.
If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"
Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.
Update Non-Microsoft Programs
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.
Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
If you have no more questions, comments or problems please tell us, so we can close off the topic.
Thanks
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#15
Posted 01 October 2009 - 04:30 PM
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users