computercowboys

help clean, search conduit, every time i run eset online scan I find

35 posts in this topic

I ran into this once before and it was because the person did something with his users before he became infected and we ended up creating a new user and moving everything over and that solved the problem.

Have you played with any of the user accounts??

MrC

Share this post


Link to post
Share on other sites

the original admin account doesn't exist

this account is an admin account

 

If i did to just NOT use IE anymore do you think I'm still open to hacking from that condiut thing?

OR do you suggest I create a whole new admin account?

Share this post


Link to post
Share on other sites

the original admin account doesn't exist
this account is an admin account


That may be the problem

If i did to just NOT use IE anymore do you think I'm still open to hacking from that condiut thing?

You're not open to hacking, I don't use IE.....I use Chrome...so much better all around.


OR do you suggest I create a whole new admin account?

You can try that.

I'll try to find the topic where we had the exact problem.

MrC

Share this post


Link to post
Share on other sites

1) How can I tell if it is or isn't the original admin account?  It says "computer administrator".

2) I will start using Firefox and start using Chrome.

3) any final scans to double check that all *bad* stuff is removed?

4) A million thanks for your help on this.

Share this post


Link to post
Share on other sites

Run this scan:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

ComboFix 13-09-04.04 - Luke 09/04/2013  15:14:25.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1264 [GMT -5:00]
Running from: c:\documents and settings\Luke\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-04 to 2013-09-04  )))))))))))))))))))))))))))))))
.
.
2013-09-03 02:17 . 2013-09-03 02:17    --------    d-----w-    c:\program files\ERUNT
2013-08-30 20:00 . 2013-08-30 20:00    --------    d-----w-    C:\FRST
2013-08-30 18:40 . 2013-08-30 18:40    --------    d-sh--w-    c:\documents and settings\Luke\IECompatCache
2013-08-30 14:49 . 2013-08-30 15:28    --------    d-----w-    C:\RK_Quarantine
2013-08-29 14:45 . 2013-08-29 14:45    --------    d-----w-    c:\program files\ESET
2013-08-29 14:36 . 2013-08-30 16:09    --------    d-----w-    C:\AdwCleaner
2013-08-29 03:23 . 2013-08-29 03:24    105176    ----a-w-    c:\windows\system32\drivers\48230029.sys
2013-08-09 20:00 . 2013-08-14 20:13    --------    d-----w-    c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-03 19:18 . 2009-01-31 02:35    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-08-02 15:36 . 2013-08-02 15:36    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-08-02 15:36 . 2013-08-02 15:37    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-08-02 15:36 . 2012-09-17 15:17    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-08-02 15:36 . 2011-01-09 19:36    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-07-26 02:47 . 2001-08-23 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2001-08-23 12:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2001-08-23 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2004-08-04 05:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-07-18 20:13 . 2013-07-18 20:13    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-10 10:37 . 2001-08-23 12:00    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2001-08-23 12:00    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2001-08-17 13:48    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2008-09-29 14:07 . 2013-08-18 02:21    22576    ----a-w-    c:\program files\mozilla firefox\components\Scriptff.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . D9F19E78F98834CB411D6AD3C68D181A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Luke\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"EPLTarget\P0000000000000000"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_TATIHSA.EXE" [2011-04-24 219008]
"EPLTarget\P0000000000000001"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_TATIHSA.EXE" [2011-04-24 219008]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-27 5703920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-04-26 423144]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-21 19875432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-08-03 1044480]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
.
c:\documents and settings\Luke\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateServiceV4"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\java.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Documents and Settings\\Luke\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5060:UDP"= 5060:UDP:mj1
"5070:UDP"= 5070:UDP:mj2
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 1:54 PM 116608]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [5/14/2009 5:07 PM 759048]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\EpsonCustomerParticipation\EPCP.exe [6/9/2011 1:01 PM 577088]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/9/2011 3:10 PM 67904]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [12/26/2012 4:36 PM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [12/26/2012 4:36 PM 1369624]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [8/2/2013 10:39 AM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/2/2013 10:39 AM 701512]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [12/26/2012 4:36 PM 168384]
S3 Ca522bv;CA522B WebCam Driver;c:\windows\system32\Drivers\Ca522bv.sys --> c:\windows\system32\Drivers\Ca522bv.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [7/18/2013 3:13 PM 35144]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/2/2013 10:39 AM 22856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/9/2011 3:10 PM 64432]
S3 XDva391;XDva391;\??\c:\windows\system32\XDva391.sys --> c:\windows\system32\XDva391.sys [?]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/12/2013 2:37 PM 3289472]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/21/2013 9:53 AM 162408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-29 14:09    1177552    ----a-w-    c:\program files\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-03 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-12-26 20:08]
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-23 19:03]
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-23 19:03]
.
2013-09-04 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-12-26 20:07]
.
2013-09-02 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-12-26 20:07]
.
2013-09-04 c:\windows\Tasks\User_Feed_Synchronization-{DC7758F4-6C21-4AEE-A618-7AD5F5B50827}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\tgb1q0tf.default-1359755059561\
FF - prefs.js: browser.search.selectedEngine - Google

FF - ExtSQL: 2013-07-19 07:32; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-04 15:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(328)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-09-04  15:20:22
ComboFix-quarantined-files.txt  2013-09-04 20:20
ComboFix2.txt  2013-07-20 23:49
ComboFix3.txt  2013-07-19 17:26
ComboFix4.txt  2013-07-19 00:04
.
Pre-Run: 73,255,718,912 bytes free
Post-Run: 73,274,769,408 bytes free
.
- - End Of File - - FBAD8D3E117FAC9439C9175A9A09DBA4
8F558EB6672622401DA993E1E865C861
 

Share this post


Link to post
Share on other sites

Any difference??

1) How can I tell if it is or isn't the original admin account? It says "computer administrator".

To locate the list of local user profiles, right-click My Computer, click Properties, and then click Settings on the Advanced tab under User Profile.

MrC

Share this post


Link to post
Share on other sites

the computer seems fine

i'm not using IE anymore.

there is only two accounts, the admin i mentioned/use and a guest account.

 

i guess that's all the work to clean it? no getting rid of that pesky conduit.

thanks again

Share this post


Link to post
Share on other sites

OK......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:

Download the fixlist.txt to the same folder as FRST.

Run FRST and click Fix only once and wait

That will delete the quarantine folder created by FRST.

-----------------------------

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.