• WELCOME
Welcome to the Myantispyware - free site offering help and assistance on spyware, malware and adware removal. As a guest you can only browse and view the various topics in the forums, but can not create a new topic and reply to an existing topic. If you are seeking help, you will need to be a logged into the forums with a registered account. Registering is free.
Click here to Create a free account and read How to use Spyware Removal Forum

html:script-inf VIRUS - How do I remove it?

Moderator: Moderators

html:script-inf VIRUS - How do I remove it?

Postby ippudo » Mon Apr 11, 2011 9:56 pm

Hi there,

I downloaded the ilivid downloader on Saturday and it automatically installed a toolbar called "searchqu". I read that it is malware that isn't detected by malwarebytes and that I would need to delete the accompanying folder, which is what I did. However, the searchqu toolbar still showed up under "View"/Toolbars. My PC (Windows XP, SP3) worked fine until a few hours ago when Avast started flagging the infection "html:script-inf" in Documents and Settings/local... (object: .../js/top-cirpdw.js {gzip}) - (process: program file/mozilla firefox.exe) each time I try to go on a new website. After a while, the websites wouldn't open any more and I got the message "Problem loading page". I tried with Internet Explorer and Chrome and got the same message from Avast, the affected .exe file then being Internet Explorer.exe and Chrome.exe, respectively. When I open Chrome, the address bar reads "www.searchqu.com". I ran malwarebytes and it found nothing.
At present, I can still access the web in safe mode.

Below is my hijack this log. I would really appreciate your help. Many thanks in advance!

Michael

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:47:51, on 11/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Michael Ludes\Desktop\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.myantispyware.com;myantispyware.com ... micro.com;<local>;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON SX410 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE /FU "C:\WINDOWS\TEMP\E_S6B4.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 5918 bytes
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Mon Apr 11, 2011 10:40 pm

I forgot to mention, I also ran DDS - please see the 2 attachments, if that's any help. Thanks!

Michael
You do not have the required permissions to view the files attached to this post.
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby 12056 » Mon Apr 11, 2011 10:56 pm

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Please download ComboFix from here.
Close your browser, and Double-Click on the tiger icon.
Let ComboFix run unhindered, mouse clicks may cause it to stall.
Your computer may restart, after the scan, this is normal.

Please post the ComboFix log, it will appear after the restart.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Tue Apr 12, 2011 1:16 am

Thanks for replying so quickly, it's really appreciated!

I ran TFC in Administrator mode without problems, but when I tried running ComboFix, I got a Warning! message, "ComboFix has detected real-time scanners to be active", in my case Avast!, and warned of possible machine damage if I didn't disable it. I then "disabled all shields permanently" but still get the same warning. (I thought in safe mode I wouldn't have to disable any antivirus software???). My question: Can I continue running ComboFix regardless? Or should I UNINSTALL Avast! to avoid possible damage to my computer? Or perhaps there's another option?

Thanks again,
Michael
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby 12056 » Tue Apr 12, 2011 1:19 am

Disabling the shields should have taken care of it, but if needed you can un-install it for now (if you want).
I do recommend that you do because as stated, Combofix can render your system disabled if an AV tries to quarantine it during it's scan!
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Tue Apr 12, 2011 2:21 am

I did everything like you suggested and uninstalled Avast!. After that ComboFix ran smoothly and it seems I can access webpages again! I had a look at the ComboFix log and the ilividinstaller and searchqu .exes seem to have been caught. Is there anything else I should look into? System restore perhaps?

Again many many thanks, I don't know what I would have done without you guys, you really saved my day (night! :))

ComboFix 11-04-11.02 - Michael Ludes 12/04/2011 2:48.4.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.343 [GMT 1:00]
Running from: c:\documents and settings\Michael Ludes\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\vlc-1.1.5-win32.exe
c:\documents and settings\...\Application Data\Mozilla\Firefox\Profiles\324nwumo.default\searchplugins\SearchquWebSearch.xml
c:\program files\autorun.inf
c:\program files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
H:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-12 00:51 . 2011-04-12 00:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-12 00:46 . 2011-04-12 00:46 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-04-09 17:35 . 2011-04-09 17:35 -------- d-----w- c:\documents and settings\Michael Ludes\Local Settings\Application Data\Ilivid Player
2011-04-09 17:31 . 2011-04-09 17:31 -------- d-----w- c:\documents and settings\Michael Ludes\Application Data\searchqutoolbar
2011-04-09 17:31 . 2011-04-09 17:31 -------- d-----w- c:\documents and settings\Michael Ludes\Local Settings\Application Data\PackageAware
2011-04-03 23:32 . 2011-04-04 02:11 -------- d-----w- c:\documents and settings\Michael Ludes\Application Data\AIMP
2011-04-03 23:29 . 2011-04-03 23:31 -------- d-----w- c:\program files\AIMP2
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2003-07-16 20:43 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-07-16 20:27 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-07-05 23:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-10-18 22:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-05-05 15:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-05 15:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-07-16 20:44 439296 ----a-w- c:\windows\system32\shimgvw.dll
2009-06-01 17:25 . 2011-01-08 17:05 313832 ------w- c:\program files\Start.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-03 175400]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-15 135664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"4735:UDP"= 4735:UDP:Windows Media Format SDK (wmplayer.exe)
"4734:UDP"= 4734:UDP:Windows Media Format SDK (wmplayer.exe)
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_25641;RapportCerberus_25641;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641.sys [07/04/2011 15:45 56888]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [27/04/2007 01:00 316992]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [13/11/2009 11:28 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 08:58 20480]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/08/2010 12:51 11520]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1454471165-839522115-1004Core.job
- c:\documents and settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-15 02:35]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1454471165-839522115-1004UA.job
- c:\documents and settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-15 02:35]
.
2011-02-21 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-15 16:42]
.
2011-02-26 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-15 16:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk
uInternet Settings,ProxyOverride = www.myantispyware.com;myantispyware.com ... micro.com;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael Ludes\Application Data\Mozilla\Firefox\Profiles\324nwumo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: SearchquToolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - %profile%\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{038CB5C7-48EA-4AF9-94E0-A1646542E62B} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-AdobeBridge - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe
AddRemove-iLivid Download Manager - c:\program files\ilivid\uninstall.exe
AddRemove-Searchqu 406 MediaBar - c:\program files\Windows ilivid Toolbar\uninstall.exe
AddRemove-ToggleEN Toolbar - c:\progra~1\ToggleEN\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-12 02:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(3156)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
c:\program files\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
c:\windows\system32\wscntfy.exe
c:\program files\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
c:\program files\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE
c:\program files\ADOBE\READER 9.0\READER\READER_SL.EXE
.
**************************************************************************
.
Completion time: 2011-04-12 03:07:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 02:07
ComboFix2.txt 2010-07-07 21:28
.
Pre-Run: 3,756,564,480 bytes free
Post-Run: 3,607,379,968 bytes free
.
- - End Of File - - 390F8ACB690A28FBB860254D2220F17F
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby 12056 » Tue Apr 12, 2011 2:34 am

You can remove system restore points at the end, when you are fully clean, and create a new one to revert back to (if need be!).

We need to remove and check a couple more things...
Please open notepad and copy and paste the below code into it exactly.

Code: Select all
KillAll::

Folder::
c:\documents and settings\Michael Ludes\Local Settings\Application Data\Ilivid Player
c:\documents and settings\Michael Ludes\Application Data\searchqutoolbar
c:\documents and settings\Michael Ludes\Local Settings\Application Data\PackageAware
c:\program files\AskBarDis

Driver::
ASKService
ASKUpgrade

Firefox::
FF - Ext: SearchquToolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - %profile%\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}

Reboot::


Save the file as CFScript.
Then, drag and drop the file onto the Combofix.exe file to launch the removal script.

A second Combofix log will be created after restart, post it to ensure removal.

Then, download SuperAntiSpyware from here.
Run it, Update it, and run a "Quick Scan".
Remove any infections it finds, and post the log file (log file location in Preferences under "Logs and Statistics" tab.)
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Tue Apr 12, 2011 3:32 am

Okay, thanks, so here's the second ComboFix log (upload for analysis). I'll download myantispyware in a second and will post that log too...

ComboFix 11-04-11.02 - Michael Ludes 12/04/2011 3:47.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.142 [GMT 1:00]
Running from: c:\documents and settings\Michael Ludes\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Ludes\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
file zipped: c:\program files\Start.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Michael Ludes\Application Data\searchqutoolbar
c:\documents and settings\Michael Ludes\Application Data\searchqutoolbar\dtx.ini
c:\documents and settings\Michael Ludes\Application Data\searchqutoolbar\guid.dat
c:\documents and settings\Michael Ludes\Application Data\searchqutoolbar\setupCfg.xml
c:\documents and settings\Michael Ludes\Local Settings\Application Data\Ilivid Player
c:\documents and settings\Michael Ludes\Local Settings\Application Data\Ilivid Player\script.qscript
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-12 02:26 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-12 02:26 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-12 02:26 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-12 02:26 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-12 02:26 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-12 02:26 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-12 02:26 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-12 02:26 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-12 02:25 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-12 02:25 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-12 02:25 . 2011-04-12 02:25 -------- d-----w- c:\program files\AVAST Software
2011-04-12 02:25 . 2011-04-12 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-12 00:51 . 2011-04-12 00:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-12 00:46 . 2011-04-12 00:46 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-04-09 17:31 . 2011-04-09 17:31 -------- d-----w- c:\documents and settings\Michael Ludes\Local Settings\Application Data\PackageAware
2011-04-03 23:32 . 2011-04-04 02:11 -------- d-----w- c:\documents and settings\Michael Ludes\Application Data\AIMP
2011-04-03 23:29 . 2011-04-03 23:31 -------- d-----w- c:\program files\AIMP2
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2003-07-16 20:43 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-07-16 20:27 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-07-05 23:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-10-18 22:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-05-05 15:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-05 15:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-07-16 20:44 439296 ----a-w- c:\windows\system32\shimgvw.dll
2009-06-01 17:25 . 2011-01-08 17:05 313832 ------w- c:\program files\Start.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-03 175400]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-15 135664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"4735:UDP"= 4735:UDP:Windows Media Format SDK (wmplayer.exe)
"4734:UDP"= 4734:UDP:Windows Media Format SDK (wmplayer.exe)
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/04/2011 03:26 301528]
R1 RapportCerberus_25641;RapportCerberus_25641;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641.sys [07/04/2011 15:45 56888]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/04/2011 03:26 19544]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [27/04/2007 01:00 316992]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [13/11/2009 11:28 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 08:58 20480]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/08/2010 12:51 11520]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/04/2011 03:26 371544]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1454471165-839522115-1004Core.job
- c:\documents and settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-15 02:35]
.
2011-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1454471165-839522115-1004UA.job
- c:\documents and settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-15 02:35]
.
2011-02-21 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-15 16:42]
.
2011-02-26 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-15 16:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk
uInternet Settings,ProxyOverride = www.myantispyware.com;myantispyware.com ... micro.com;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael Ludes\Application Data\Mozilla\Firefox\Profiles\324nwumo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: SearchquToolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - %profile%\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-12 04:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-04-12 04:20:43
ComboFix-quarantined-files.txt 2011-04-12 03:20
ComboFix2.txt 2011-04-12 02:07
ComboFix3.txt 2010-07-07 21:28
.
Pre-Run: 3,352,088,576 bytes free
Post-Run: 3,319,566,336 bytes free
.
- - End Of File - - 6FF500C6A9F4053BDB524AB9921BEB0A
Upload was successful
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Tue Apr 12, 2011 4:23 am

I ran the scan with SuperAntiSpyware twice (first time I didn't see a log file in "preferences", or rather when I opened SAS again, it wasn't there). I remember there were 5 minor infections (3 adware cookies and 2 double-click ads, I think). The second scan yielded 0 infections and looks like this (just for your information, please see below). Let me know what else I should do. I guess I would have to uninstall Combofix at some point...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2011 at 05:16 AM

Application Version : 4.50.1002

Core Rules Database Version : 6815
Trace Rules Database Version: 4627

Scan type : Quick Scan
Total Scan Time : 00:14:41

Memory items scanned : 501
Memory threats detected : 0
Registry items scanned : 1621
Registry threats detected : 0
File items scanned : 5429
File threats detected : 0
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby 12056 » Tue Apr 12, 2011 2:50 pm

Log looks ok now, how's your computer?

Go ahead and uninstall Combofix:
1. Start, Run, Type: Combofix.exe /Uninstall and click OK.
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Tue Apr 12, 2011 4:22 pm

Hi again, I ran ESET Online Scanner, and it found amplayer.exe (as part of DivX player) as a potential threat in "My Documents and Settings", which I deleted manually. I then uninstalled ComboFix, but when I tried to update Avast!, it stalls on Step 2 and says "can't connect to server", even though all shields are enabled and I have temporarily disabled my Windows Firewall. I have registered too, so I don't know what the problem is. When I restarted my computer, Avast! flagged a threat called "DCOM Exploit" and apparently blocked it, but since I can't update my virus definitions I'm a bit worried. Do you have any more suggestions?

I just ran another Hijack This log, and one of the 023 entries looks a bit odd to me - is there perhaps an important Avast!file missing? Thanks again for your help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:20:24, on 12/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe
C:\PROGRAM FILES\COMMON FILES\Java\JAVA UPDATE\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael Ludes\Desktop\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.myantispyware.com;myantispyware.com ... micro.com;<local>;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe ARM] C:\PROGRAM FILES\COMMON FILES\Adobe\ARM\1.0\AdobeARM.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] C:\PROGRAM FILES\COMMON FILES\Adobe\CS4SERVICEMANAGER\CS4SERVICEMANAGER.EXE -launchedbylogin
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] C:\PROGRAM FILES\Adobe\Reader 9.0\Reader\READER_SL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\PROGRAM FILES\COMMON FILES\Java\JAVA UPDATE\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NEROCHECK.EXE
O4 - HKLM\..\RunOnce: [B Register C:\Program Files\DivX\DivX Plus Player\DPXPlugins\DPXDownloadManagerPlugin.dll] RunDLL32.exe C:\PROGRAM FILES\DivX\DIVX PLUS PLAYER\DPXPLUGINS\DPXDOWNLOADMANAGERPLUGIN.DLL ,DllRegisterServer
O4 - HKLM\..\RunOnce: [B Register C:\Program Files\DivX\DivX Plus Player\DPXPlugins\DPXMediaManagerPlugin.dll] RunDLL32.exe C:\PROGRAM FILES\DivX\DIVX PLUS PLAYER\DPXPLUGINS\DPXMEDIAMANAGERPLUGIN.DLL ,DllRegisterServer
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael Ludes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 8535 bytes
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby ippudo » Tue Apr 12, 2011 4:42 pm

Update: I just changed my Avast! settings to "no proxy server" and the virus definitions have updated without problems - phew! The Hijack This log remains unchanged though - it still says "(Avast) file missing". As for the DCOM Exploit attempt, I just read on the Avast! forum it's okay if Avast! blocks it.

I finally managed to uninstall the searchqu toolbar in Firefox via the "add-ons" list, so it's looks as if it's completely gone now. Should I do a system restore?
ippudo
 
Posts: 24
Joined: Sun Jun 20, 2010 4:02 am

Re: html:script-inf VIRUS - How do I remove it?

Postby 12056 » Tue Apr 12, 2011 11:53 pm

Go ahead and use HijackThis to remove:

Code: Select all
O4 - HKLM\..\RunOnce: [B Register C:\Program Files\DivX\DivX Plus Player\DPXPlugins\DPXDownloadManagerPlugin.dll] RunDLL32.exe C:\PROGRAM FILES\DivX\DIVX PLUS PLAYER\DPXPLUGINS\DPXDOWNLOADMANAGERPLUGIN.DLL ,DllRegisterServer

O4 - HKLM\..\RunOnce: [B Register C:\Program Files\DivX\DivX Plus Player\DPXPlugins\DPXMediaManagerPlugin.dll] RunDLL32.exe C:\PROGRAM FILES\DivX\DIVX PLUS PLAYER\DPXPLUGINS\DPXMEDIAMANAGERPLUGIN.DLL ,DllRegisterServer


Create a new restore point, but don't restore to an old one, you should actually delete all the old one (as they would actually restore malware!).

P.S. The personal e-mail wasn't a problem, as a moderator, I like it when people notify me of suspicious posts so that they can be removed in a timely manner!
As it appears your issue has been resolved, I'm going to lock this topic, should you need further assistance PM me, and I'll return.
Last edited by 12056 on Tue Apr 12, 2011 11:57 pm, edited 1 time in total.
Reason: locking topic as issue appears to be resolved!
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator
12056
 
Posts: 860
Joined: Sun Apr 25, 2010 9:57 pm


Return to Archived Logs

Who is online

Users browsing this forum: No registered users and 1 guest

cron