10 replies to this topic

[gpence]

I recently (about 6 weeks ago) had Windows Police Pro show up on my laptop. I followed the instructions and used Malwarebytes to remove it. This week, I'm seeing a similar situation.
1) I get pop-up screens which appear to be anti-virus warnings (none of these looked like the Windows Police Pro screens though) -- although I did get a message from my taskbar which said I needed the Windows Police Pro upgrade
2) my desktop icons disappear after startup, you see them briefly, then they disappear
3) I cannot use CTRL-ALT-DEL to bring up taskmgr
4) when I attempt to run MBAM, it says it can't find the excecutable.
5) I've turned of restore points (XP Home Edition -- Ugh)
6) I've run MBAM several times and, after getting 14 objects on the first pass, I now repeatedly get 2 objects on my Quick Scan -- the first is Trojan.Agent and the second is Disabled.SecurityCenter. After cleaning and rebooting, I experience the same thing. I'm running Virus Scan 8.7i as my anti-virus, also have Spybot S+D and MBAM installed...

Here are my last MBAM and HJT logs:

------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/16/2009 10:51:18 AM
mbam-log-2009-10-16 (10-51-18).txt

Scan type: Quick Scan
Objects scanned: 112286
Time elapsed: 26 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realteks (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------------------------------------

HJT log:

------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:36 AM, on 10/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Absolutist Games Toolbar - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - C:\Program Files\Absolutist_Games\tbAbs1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Absolutist Games Toolbar - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - C:\Program Files\Absolutist_Games\tbAbs1.dll
O2 - BHO: (no name) - {77DC0B63-1535-4ba9-8BE8-D59EB676FA02} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Absolutist Games Toolbar - {631ac2d4-57b3-42b0-a148-da33b462c1a3} - C:\Program Files\Absolutist_Games\tbAbs1.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [9317590577] C:\Documents and Settings\Glenn\Application Data\9317590577\9317590577.exe
O4 - HKLM\..\Run: [4837020060] C:\Documents and Settings\Glenn\Application Data\4837020060\4837020060.exe
O4 - HKLM\..\Run: [9875239649] C:\Documents and Settings\Glenn\Application Data\9875239649\9875239649.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\Glenn\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://theclonewars.cartoonnetwork.com/games/game_02_ext.html"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189374853421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1219887458093
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O20 - AppInit_DLLs: c:\windows\system32\kenahozi.dll c:\windows\system32\ c:\windows\system32\zowirewa.dll ,zofowoda.dll
O21 - SSODL: bivovihif - {afc08ac2-d6da-4311-9dd9-36a435c87bc9} - c:\windows\system32\kenahozi.dll (file missing)
O21 - SSODL: hohepowup - {d453a956-a679-4462-b72d-6a3a0fb649de} - c:\windows\system32\zowirewa.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {afc08ac2-d6da-4311-9dd9-36a435c87bc9} - c:\windows\system32\kenahozi.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {d453a956-a679-4462-b72d-6a3a0fb649de} - c:\windows\system32\zowirewa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Enterprise Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9561 bytes
------------------------------------------------------------------------------------------------------------------------


Thanks for all of your help!

gpence

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[gpence]

Here is the combofix log file:

================================================================================
=========

ComboFix 09-10-16.02 - Glenn 10/16/2009 15:32.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.582 [GMT -5:00]
Running from: c:\documents and settings\Glenn\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Glenn\Application Data\4837020060
c:\documents and settings\Glenn\Application Data\4837020060\4837020060.bat
c:\documents and settings\Glenn\Application Data\4837020060\4837020060.cfg
c:\documents and settings\Glenn\Application Data\4837020060\4837020060.exe
c:\documents and settings\Glenn\Application Data\9317590577
c:\documents and settings\Glenn\Application Data\9317590577\9317590577.bat
c:\documents and settings\Glenn\Application Data\9317590577\9317590577.cfg
c:\documents and settings\Glenn\Application Data\9317590577\9317590577.exe
c:\documents and settings\Glenn\Application Data\9875239649
c:\documents and settings\Glenn\Application Data\9875239649\9875239649.bat
c:\documents and settings\Glenn\Application Data\9875239649\9875239649.cfg
c:\documents and settings\Glenn\Application Data\9875239649\9875239649.exe
c:\documents and settings\Glenn\Desktop\Security Tool.lnk
c:\documents and settings\Glenn\Start Menu\Programs\Security Tool.lnk
c:\windows\Installer\a10f796.msi
c:\windows\Installer\a10f797.msp
c:\windows\Installer\a10f798.msp
c:\windows\Installer\a10f799.msp
c:\windows\Installer\a10f79a.msp
c:\windows\Installer\a10f79b.msp
c:\windows\Installer\a10f79c.msp
c:\windows\Installer\a10f79d.msp
c:\windows\Installer\a10f79e.msp
c:\windows\Installer\a10f79f.msp
c:\windows\system32\biheseya.dll
c:\windows\system32\dagenoja.exe
c:\windows\system32\gasfkyigpsrdyx.dat
c:\windows\system32\gasfkypafvkbsm.dat
c:\windows\system32\gasfkysbfpoqmc.dat
c:\windows\system32\gelosaha.dll
c:\windows\system32\hidekeli.exe
c:\windows\system32\jeziluku.exe
c:\windows\system32\jideraye.dll
c:\windows\system32\kebajuvi.dll.tmp
c:\windows\system32\ketineno.exe
c:\windows\system32\kohedoge.dll
c:\windows\system32\lapolude.exe
c:\windows\system32\lejorude.dll.tmp
c:\windows\system32\nazomafo.exe
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\takamegu.dll
c:\windows\system32\talamuko.exe
c:\windows\system32\tuvikize.dll
c:\windows\system32\zofowoda.dll.tmp
c:\windows\system32\zusidebi.exe
c:\windows\wf3.dat
c:\windows\wf4.dat

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkyjkwcxwne
-------\Legacy_gasfkyvpbwibcr
-------\Service_gasfkyjkwcxwne
-------\Service_gasfkyvpbwibcr


((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-16 20:06 . 2009-10-16 20:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-16 15:54 . 2009-10-16 15:54 -------- d-----w- c:\program files\Trend Micro
2009-10-16 14:38 . 2009-04-30 01:07 65224 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2009-10-16 14:38 . 2009-04-30 01:07 91640 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-16 14:38 . 2009-04-30 01:07 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2009-10-16 14:38 . 2009-04-30 01:07 70216 ----a-w- c:\windows\system32\mfevtps.exe
2009-10-16 14:38 . 2009-04-30 01:07 63696 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-10-16 14:38 . 2009-04-30 01:07 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-16 14:38 . 2009-04-30 01:07 342128 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-16 14:37 . 2009-10-16 14:37 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-16 14:36 . 2009-10-16 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-16 14:36 . 2009-10-16 14:37 -------- d-----w- c:\program files\McAfee
2009-10-15 19:19 . 2009-10-15 19:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-12 21:42 . 2009-10-12 21:42 -------- d-----w- C:\b9daa5c0ed9243394842
2009-09-21 21:33 . 2009-09-21 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 19:22 . 2009-06-07 20:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 21:38 . 2007-10-18 13:47 -------- d-----w- c:\program files\Microsoft Money 2007
2009-09-10 19:54 . 2009-06-07 20:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-07 20:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 19:21 . 2007-09-11 04:10 47224 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 13:28 . 2009-08-18 13:28 -------- d-----w- c:\program files\MSBuild
2009-08-18 13:27 . 2009-08-18 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:11 . 2002-09-03 16:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-04-30 01:07 . 2009-10-16 14:38 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-07-04 16:36 . 2009-07-04 16:36 52736 --sha-w- c:\windows\system32\havetini.dll
2009-07-16 20:04 . 2009-07-16 20:04 51712 --sha-w- c:\windows\system32\lomokafu.dll
2009-07-16 20:04 . 2009-07-16 20:04 310272 --sha-w- c:\windows\system32\pododome.exe
2009-07-16 20:04 . 2009-07-16 20:04 51712 --sha-w- c:\windows\system32\tidahahi.dll
2009-07-04 16:36 . 2009-07-04 16:36 52736 --sha-w- c:\windows\system32\vagelara.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{631ac2d4-57b3-42b0-a148-da33b462c1a3}"= "c:\program files\Absolutist_Games\tbAbs1.dll" [2008-02-05 1555480]

[HKEY_CLASSES_ROOT\clsid\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]
2008-02-05 18:28 1555480 ----a-w- c:\program files\Absolutist_Games\tbAbs1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d47b51ae-557d-4389-b973-e6b95bc5c6d8}]
2009-07-16 20:04 51712 --sha-w- c:\windows\system32\lomokafu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{631ac2d4-57b3-42b0-a148-da33b462c1a3}"= "c:\program files\Absolutist_Games\tbAbs1.dll" [2008-02-05 1555480]

[HKEY_CLASSES_ROOT\clsid\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{631AC2D4-57B3-42B0-A148-DA33B462C1A3}"= "c:\program files\Absolutist_Games\tbAbs1.dll" [2008-02-05 1555480]

[HKEY_CLASSES_ROOT\clsid\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-12-13 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/16/2009 9:38 AM 65224]
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\7f7jl6d8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - d:\malwarebytes' anti-malware\mbam.exe
HKLM-Run-9317590577 - c:\documents and settings\Glenn\Application Data\9317590577\9317590577.exe
HKLM-Run-4837020060 - c:\documents and settings\Glenn\Application Data\4837020060\4837020060.exe
HKLM-Run-9875239649 - c:\documents and settings\Glenn\Application Data\9875239649\9875239649.exe
HKLM-Run-realteks - c:\documents and settings\Glenn\Application Data\Google\uqrke8412012.exe
HKLM-Run-kilonilij - c:\windows\system32\jideraye.dll
HKLM-Run-sepiyujeka - biheseya.dll
SharedTaskScheduler-{afc08ac2-d6da-4311-9dd9-36a435c87bc9} - c:\windows\system32\kenahozi.dll
SharedTaskScheduler-{d453a956-a679-4462-b72d-6a3a0fb649de} - c:\windows\system32\zowirewa.dll
SharedTaskScheduler-{45fcc58b-6a8c-4615-9a68-f6931bfd8702} - c:\windows\system32\jideraye.dll
SSODL-bivovihif-{afc08ac2-d6da-4311-9dd9-36a435c87bc9} - c:\windows\system32\kenahozi.dll
SSODL-hohepowup-{d453a956-a679-4462-b72d-6a3a0fb649de} - c:\windows\system32\zowirewa.dll
SSODL-hunimimat-{45fcc58b-6a8c-4615-9a68-f6931bfd8702} - c:\windows\system32\jideraye.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\McAfee\VirusScan Enterprise\engineserver.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\windows\system32\mfevtps.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\BCMWLTRY.EXE
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-16 15:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 20:48

Pre-Run: 66,870,214,656 bytes free
Post-Run: 67,424,690,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

248 --- E O F --- 2009-09-10 21:38

================================================================================
=========

Thanks,
gpence

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27997&st=0&#entry144217
COLLECT::
c:\windows\system32\havetini.dll
c:\windows\system32\lomokafu.dll
c:\windows\system32\pododome.exe
c:\windows\system32\tidahahi.dll
c:\windows\system32\vagelara.dll
REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d47b51ae-557d-4389-b973-e6b95bc5c6d8}]

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingc...e.php?channel=4


---------------


ESET Online Scanner

• Please go to the following link ESET Online Scanner Link
  
• Tick the box YES, I accept the Terms Of Use
  
• Click the Start button
  
• Now click the Install button
  
• Click Start
  
  The scanner engine will initialise and update
  
  
• Do Not tick the box Remove found threats
  
• Click the Scan button
  
  The scan will now run, please be patient
  
  
• When the scan finishes click the Details tab
  
• Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------


In your next post, please include fresh logs from:

• Online scan
  
• ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[gpence]

Computer seems to have returned to normal -- icons are back, CTRL-ALT-DEL brings up Taskmgr, etc. but the scan found (and did NOT remove) numerous files as shown below:


=============================================== Combofix Log =====

ComboFix 09-10-16.02 - Glenn 10/16/2009 18:48.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.560 [GMT -5:00]
Running from: c:\documents and settings\Glenn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Glenn\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

file zipped: c:\windows\system32\havetini.dll
file zipped: c:\windows\system32\lomokafu.dll
file zipped: c:\windows\system32\pododome.exe
file zipped: c:\windows\system32\tidahahi.dll
file zipped: c:\windows\system32\vagelara.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\havetini.dll
c:\windows\system32\lomokafu.dll
c:\windows\system32\pododome.exe
c:\windows\system32\tidahahi.dll
c:\windows\system32\vagelara.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-16 20:50 . 2009-10-16 20:50 -------- d-----w- c:\windows\LastGood
2009-10-16 20:06 . 2009-10-16 20:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-16 15:54 . 2009-10-16 15:54 -------- d-----w- c:\program files\Trend Micro
2009-10-16 14:38 . 2009-04-30 01:07 65224 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2009-10-16 14:38 . 2009-04-30 01:07 91640 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-16 14:38 . 2009-04-30 01:07 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2009-10-16 14:38 . 2009-04-30 01:07 70216 ----a-w- c:\windows\system32\mfevtps.exe
2009-10-16 14:38 . 2009-04-30 01:07 63696 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-10-16 14:38 . 2009-04-30 01:07 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-16 14:38 . 2009-04-30 01:07 342128 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-16 14:37 . 2009-10-16 14:37 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-16 14:36 . 2009-10-16 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-16 14:36 . 2009-10-16 14:37 -------- d-----w- c:\program files\McAfee
2009-10-15 19:19 . 2009-10-15 19:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-12 21:42 . 2009-10-12 21:42 -------- d-----w- C:\b9daa5c0ed9243394842
2009-09-21 21:33 . 2009-09-21 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 19:22 . 2009-06-07 20:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 21:38 . 2007-10-18 13:47 -------- d-----w- c:\program files\Microsoft Money 2007
2009-09-10 19:54 . 2009-06-07 20:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-07 20:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 19:21 . 2007-09-11 04:10 47224 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 13:28 . 2009-08-18 13:28 -------- d-----w- c:\program files\MSBuild
2009-08-18 13:27 . 2009-08-18 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:11 . 2002-09-03 16:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-04-30 01:07 . 2009-10-16 14:38 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-16_20.41.42 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{631ac2d4-57b3-42b0-a148-da33b462c1a3}"= "c:\program files\Absolutist_Games\tbAbs1.dll" [2008-02-05 1555480]

[HKEY_CLASSES_ROOT\clsid\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]
2008-02-05 18:28 1555480 ----a-w- c:\program files\Absolutist_Games\tbAbs1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{631ac2d4-57b3-42b0-a148-da33b462c1a3}"= "c:\program files\Absolutist_Games\tbAbs1.dll" [2008-02-05 1555480]

[HKEY_CLASSES_ROOT\clsid\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{631AC2D4-57B3-42B0-A148-DA33B462C1A3}"= "c:\program files\Absolutist_Games\tbAbs1.dll" [2008-02-05 1555480]

[HKEY_CLASSES_ROOT\clsid\{631ac2d4-57b3-42b0-a148-da33b462c1a3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-12-13 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/16/2009 9:38 AM 70216]
S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [5/5/2009 1:06 PM 231424]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/16/2009 9:38 AM 65224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFERKDET
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\7f7jl6d8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\McAfee\SiteAdvisor Enterprise\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 18:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-16 18:53
ComboFix-quarantined-files.txt 2009-10-16 23:53
ComboFix2.txt 2009-10-16 20:48

Pre-Run: 67,281,547,264 bytes free
Post-Run: 67,238,019,072 bytes free

138 --- E O F --- 2009-09-10 21:38
Upload was successful

=============================================================

==================== ESET log ===================================

C:\Qoobox\Quarantine\C\Documents and Settings\Glenn\Application Data\4837020060\4837020060.exe.vir a variant of Win32/Kryptik.ARV trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Glenn\Application Data\9317590577\9317590577.exe.vir a variant of Win32/Kryptik.ARV trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Glenn\Application Data\9875239649\9875239649.exe.vir Win32/Adware.SecurityTool application
C:\Qoobox\Quarantine\C\WINDOWS\system32\dagenoja.exe.vir Win32/Adware.SecurityTool application
C:\Qoobox\Quarantine\C\WINDOWS\system32\gelosaha.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hidekeli.exe.vir a variant of Win32/Kryptik.AEA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\jeziluku.exe.vir a variant of Win32/Kryptik.ARV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\kebajuvi.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\ketineno.exe.vir a variant of Win32/Kryptik.AVV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\kohedoge.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lapolude.exe.vir a variant of Win32/Kryptik.AEA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lejorude.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\nazomafo.exe.vir a variant of Win32/Kryptik.ARV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\zofowoda.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\zusidebi.exe.vir a variant of Win32/Kryptik.AEA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir Win32/Adware.WinAntiVirus application
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir Win32/Adware.WinAntiVirus application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152573.dll a variant of Win32/Adware.Virtumonde.NFR application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152574.dll a variant of Win32/Adware.Virtumonde.NFT application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152581.dll a variant of Win32/Adware.Virtumonde.NFT application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152583.dll a variant of Win32/Adware.Virtumonde.NFP application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152584.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152585.dll a variant of Win32/Adware.Virtumonde.NFP application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152586.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152587.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152588.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152589.dll a variant of Win32/Adware.Virtumonde.NFR application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152590.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152591.dll a variant of Win32/Adware.Virtumonde.NFR application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152592.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152593.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0152594.dll a variant of Win32/Adware.Virtumonde.NFR application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153682.exe a variant of Win32/Kryptik.AVV trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153683.exe a variant of Win32/Kryptik.AEA trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153684.exe a variant of Win32/Kryptik.AEA trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153689.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153690.dll a variant of Win32/AntiAV.NCZ trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153691.dll a variant of Win32/Adware.Virtumonde.NFP application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP235\A0153694.dll a variant of Win32/Adware.Virtumonde.NFT application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154043.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154044.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154045.dll a variant of Win32/Adware.SuperJuan.F application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154066.exe a variant of Win32/Kryptik.ARV trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154069.exe a variant of Win32/Kryptik.ARV trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154072.exe Win32/Adware.SecurityTool application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154074.exe Win32/Adware.SecurityTool application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154075.dll a variant of Win32/Adware.Virtumonde.NFR application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154076.exe a variant of Win32/Kryptik.AEA trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154077.exe a variant of Win32/Kryptik.ARV trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154078.exe a variant of Win32/Kryptik.AVV trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154079.dll a variant of Win32/Adware.Virtumonde.NFR application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154080.exe a variant of Win32/Kryptik.AEA trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154081.exe a variant of Win32/Kryptik.ARV trojan
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154083.exe Win32/Adware.WinAntiVirus application
C:\System Volume Information\_restore{CE55E858-51A2-41BB-B902-DEB36C51C724}\RP236\A0154085.exe a variant of Win32/Kryptik.AEA trojan
C:\WINDOWS\system32\kogepugo.dll_old a variant of Win32/Adware.SuperJuan.F application
C:\WINDOWS\system32\sakurubu.dll_old a variant of Win32/Adware.SuperJuan.F application
C:\WINDOWS\system32\zowirewa.dll_old a variant of Win32/Adware.Virtumonde.NFT application

=====================================

Should I run the ESET scan again with the remove threats checked?

gpence

[gpence]

I am astounded that there are that many trojans on my laptop given that I'm running VirusScan Enterprise 8.7 with an Oct 15th DAT file, Spybot S+D, MBAM... what else can I do protect myself?

Thanks again,
gpence

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
C:\WINDOWS\system32\kogepugo.dll_old
C:\WINDOWS\system32\sakurubu.dll_old
C:\WINDOWS\system32\zowirewa.dll_old
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


----------

Quote

am astounded that there are that many trojans on my laptop given that I'm running VirusScan Enterprise 8.7 with an Oct 15th DAT file, Spybot S+D, MBAM... what else can I do protect myself?

Perhaps time to consider some other scanners?

[gpence]

Response is:


=======================

Deleted Successfully !!
Press any key to continue...

=======================


So does this mean I'm finally clean again? What do you recommend for a new scanner?

Thanks,
gpence

[sUBs]

Quote

What do you recommend for a new scanner?

Which scanner detected files that your current one didn't? Eset is quite a good scanner.


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /U
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[gpence]

Thanks for all of your work and advice!!! Hope you have a great weekend.

Btw, is ESET associated with MBAM, or are you? I appreciate your support and I would gladly support the company you're affiliated with...

Thanks again sUBs,

gpence

[sUBs]

I work for MBAM as a researcher for analysing malware and creating the definitions for the detection/removal. Not affiliated with ESET.

Both are fine scanners to have on the machine. ESET is an antivirus program and MBAM is an anti-spyware one. Both compliments each other