My Anti Spyware

[scott314]

I got the Security Tool virus, and followed both methods for uninstall and they work while I am in the current session, but once I restart my computer the Security Tool popups return. Any suggestions?

The only way to continue running, is if I hit Alt-Ctrl-Del as soon as windows starts so I can stop the .exe process for the virus. Otherwise the virus blocks all programs from starting (.exe). I also run the fix.inf right away and that seems to stop the malware from continuing to run... until I reboot.

[scott314]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:30 PM, on 27/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/cust ... ch/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/cust ... .yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [375394295] "C:\DOCUME~1\Scott\LOCALS~1\APPLIC~1\375394295.exe" 0 30
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://vpn.nasc.biz/,DanaInfo=.acbpgq5 ... otes6W.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4714771203
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://vpn.nasc.biz/dana-cached/setup/JuniperSetup.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://vpn.nasc.biz/dana-cached/sc/Jun ... Client.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[patrik]

Hello, welcome to the Myantispyware forum.

Run HijackThis. Click "Do a system scan only" button.
Now select the following entries by placing a tick in the left hand check box, if still present:

Code: Select all

O4 - HKCU\..\RunOnce: [375394295] "C:\DOCUME~1\Scott\LOCALS~1\APPLIC~1\375394295.exe" 0 30

Once you have selected all entries, close all running programs then click once on the "fix checked" button.
Reboot your computer.

If you have previously downloaded ComboFix, please delete that version now.
Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.
When the tool is finished, it will produce a log for you.If the log does not automatically open, then it can be found at %systemdrive%\combofix.txt (typically C:\combofix.txt).

If ComboFix will not run, please rename it to myapp.exe and try again!

Post back with combofix log.

[scott314]

Everything seems to be working properly now. No malware popped up during the reboot during Combofix.

ComboFix 10-07-27.05 - Scott 28/07/2010 19:59:23.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.461 [GMT -4:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\shs_setup_4056-345359.exe
c:\documents and settings\Scott\Local Settings\Application Data\{A825B71A-01F4-4866-AB5C-C669F93B306A}
c:\documents and settings\Scott\Local Settings\Application Data\{A825B71A-01F4-4866-AB5C-C669F93B306A}\chrome.manifest
c:\documents and settings\Scott\Local Settings\Application Data\{A825B71A-01F4-4866-AB5C-C669F93B306A}\chrome\content\_cfg.js
c:\documents and settings\Scott\Local Settings\Application Data\{A825B71A-01F4-4866-AB5C-C669F93B306A}\chrome\content\overlay.xul
c:\documents and settings\Scott\Local Settings\Application Data\{A825B71A-01F4-4866-AB5C-C669F93B306A}\install.rdf
c:\documents and settings\Scott\Local Settings\Application Data\375394295.exe
c:\windows\dccffe.ini
c:\windows\ihgghk.ini
c:\windows\mnnnoq.ini
c:\windows\system32\drivers\fmon.sys
c:\windows\system32\drivers\kcrk.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\vyyyxx.ini
c:\windows\wybbcf.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_txojqqo
-------\Legacy_ueoykigi
-------\Service_txojqqo
-------\Service_ueoykigi


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-27 23:41 . 2010-07-27 23:41 -------- d-----w- c:\program files\Trend Micro
2010-07-25 19:18 . 2010-07-25 19:18 -------- d-----w- c:\program files\Jnes 0.6
2010-07-25 19:12 . 2010-07-25 19:12 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\DOSBox
2010-07-24 14:41 . 2010-07-24 14:41 120 ----a-w- c:\windows\Xkuvusumoc.dat
2010-07-24 14:41 . 2010-07-24 14:41 0 ----a-w- c:\windows\Cmowuvogepuwid.bin
2010-07-14 23:56 . 2010-07-14 23:56 -------- d-----w- c:\program files\Reference Assemblies
2010-07-13 23:10 . 2010-07-13 23:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-12 23:24 . 2010-07-18 22:03 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\rtboxdlqd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 00:12 . 2005-12-30 18:50 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-25 19:09 . 2010-07-25 19:09 -------- d-----w- c:\documents and settings\Scott\Application Data\AppClient
2010-07-24 15:05 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-24 14:52 . 2010-05-01 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 23:31 . 2006-01-09 19:59 -------- d-----w- c:\program files\EA SPORTS
2010-06-20 17:16 . 2008-08-30 19:02 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-14 14:31 . 2005-12-30 17:47 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-08 23:22 . 2010-05-08 23:22 162656 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-05-08 23:22 . 2010-05-08 23:22 292704 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-05-08 23:22 . 2007-01-21 22:52 37464 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\setup\uninstall.exe
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-11 172032]

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^wwwbyh32.exe]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\wwwbyh32.exe
backup=c:\windows\pss\wwwbyh32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dsowuq]
2008-04-14 12:00 192000 ----a-w- c:\windows\owiqikod.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-10-22 23:53 30003200 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
2006-04-28 19:43 190024 ----a-w- c:\program files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-11 00:42 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rogers SHS]
2009-05-26 03:05 2741560 ----a-w- c:\program files\Rogers\SelfHealing\shs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=

R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [25/05/2009 11:05 PM 144696]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [07/04/2008 8:57 AM 163840]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [25/07/2008 8:09 PM 845184]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [02/08/2004 8:36 PM 173392]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\SPIXNEW.SYS [07/03/2002 6:21 PM 95528]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/cust ... ch/ie.html
uSearchURL,(Default) = hxxp://ca.red.clientapps.yahoo.com/cust ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.nasc.biz/dana-cached/sc/Jun ... Client.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-asrkn_pfu - c:\docume~1\Scott\LOCALS~1\Temp\asrkn_pfu.exe
MSConfigStartUp-Defense Center - c:\program files\Defense Center\defcnt.exe
MSConfigStartUp-Digital Protection - c:\program files\Digital Protection\digprot.exe
MSConfigStartUp-Jzaritit - c:\windows\pltusrac.dll
MSConfigStartUp-kviofndd - c:\documents and settings\Scott\Local Settings\Application Data\rtboxdlqd\sktujhutssd.exe
MSConfigStartUp-vb - c:\program files\vb\vb.exe
AddRemove-{026AFFA3-5865-4FC5-00B2-56B4A738109C} - c:\program files\EA SPORTS\Madden NFL 2003\EAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 20:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Windows Media Player\WMPNetwk.exe
.
**************************************************************************
.
Completion time: 2010-07-28 20:17:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 00:17

Pre-Run: 22,689,411,072 bytes free
Post-Run: 23,139,852,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
signature(8902060e)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 29262C63B50577DA7C01554F6E5E45DF

[patrik]

Open notepad, copy/paste the text in the code box below into notepad:

Code: Select all

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dsowuq]

File::
c:\windows\Xkuvusumoc.dat
c:\windows\Cmowuvogepuwid.bin
c:\windows\owiqikod.dll

Name the Notepad file CFScript and Save it to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

When finished, it will produce a report for you.

Post back with a combofix log.

[scott314]

ComboFix 10-07-29.01 - Scott 29/07/2010 18:54:42.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.544 [GMT -4:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\Cmowuvogepuwid.bin"
"c:\windows\owiqikod.dll"
"c:\windows\Xkuvusumoc.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\shs_setup_4059-354328.exe
c:\windows\Cmowuvogepuwid.bin
c:\windows\owiqikod.dll
c:\windows\Xkuvusumoc.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-27 23:41 . 2010-07-27 23:41 -------- d-----w- c:\program files\Trend Micro
2010-07-25 19:18 . 2010-07-25 19:18 -------- d-----w- c:\program files\Jnes 0.6
2010-07-25 19:12 . 2010-07-25 19:12 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\DOSBox
2010-07-14 23:56 . 2010-07-14 23:56 -------- d-----w- c:\program files\Reference Assemblies
2010-07-13 23:10 . 2010-07-13 23:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-12 23:24 . 2010-07-18 22:03 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\rtboxdlqd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 22:52 . 2005-12-30 18:50 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-29 22:48 . 2007-07-11 23:53 -------- d-----w- c:\program files\Rogers
2010-07-25 19:09 . 2010-07-25 19:09 -------- d-----w- c:\documents and settings\Scott\Application Data\AppClient
2010-07-24 15:05 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-24 14:52 . 2010-05-01 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 23:31 . 2006-01-09 19:59 -------- d-----w- c:\program files\EA SPORTS
2010-06-20 17:16 . 2008-08-30 19:02 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-14 14:31 . 2005-12-30 17:47 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-08 23:22 . 2010-05-08 23:22 162656 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-05-08 23:22 . 2010-05-08 23:22 292704 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-05-08 23:22 . 2007-01-21 22:52 37464 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\setup\uninstall.exe
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-11 172032]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2010-06-03 2736128]

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^wwwbyh32.exe]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\wwwbyh32.exe
backup=c:\windows\pss\wwwbyh32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-10-22 23:53 30003200 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
2006-04-28 19:43 190024 ----a-w- c:\program files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-11 00:42 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rogers SHS]
2010-06-03 19:46 2736128 ----a-w- c:\program files\Rogers\SelfHealing\shs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=

R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [03/06/2010 3:46 PM 139264]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [03/06/2010 3:46 PM 163840]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [25/07/2008 8:09 PM 845184]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [02/08/2004 8:36 PM 173392]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\SPIXNEW.SYS [07/03/2002 6:21 PM 95528]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ROGERSSELFHELPSERVICE
*NewlyCreated* - ROGERSUPDATEMANAGER
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/cust ... ch/ie.html
uSearchURL,(Default) = hxxp://ca.red.clientapps.yahoo.com/cust ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.nasc.biz/dana-cached/sc/Jun ... Client.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 19:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-29 19:09:10
ComboFix-quarantined-files.txt 2010-07-29 23:09
ComboFix2.txt 2010-07-29 00:17

Pre-Run: 23,133,745,152 bytes free
Post-Run: 23,124,426,752 bytes free

- - End Of File - - F0EAEC75BD18041264E1B2B6537FA258

[patrik]

Open notepad, copy/paste the text in the code box below into notepad:

Code: Select all

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^wwwbyh32.exe]

File::
c:\documents and settings\Scott\Start Menu\Programs\Startup\wwwbyh32.exe

Folder::
c:\documents and settings\Scott\Local Settings\Application Data\rtboxdlqd

Name the Notepad file CFScript and Save it to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

When finished, it will produce a report for you.

Post back with a combofix log.

[scott314]

ComboFix 10-07-30.04 - Scott 31/07/2010 8:40.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.535 [GMT -4:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point

FILE ::
"c:\documents and settings\Scott\Start Menu\Programs\Startup\wwwbyh32.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Scott\Local Settings\Application Data\rtboxdlqd

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-27 23:41 . 2010-07-27 23:41 -------- d-----w- c:\program files\Trend Micro
2010-07-25 19:18 . 2010-07-25 19:18 -------- d-----w- c:\program files\Jnes 0.6
2010-07-25 19:12 . 2010-07-25 19:12 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\DOSBox
2010-07-14 23:56 . 2010-07-14 23:56 -------- d-----w- c:\program files\Reference Assemblies
2010-07-13 23:10 . 2010-07-13 23:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 12:35 . 2005-12-30 18:50 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-29 22:48 . 2007-07-11 23:53 -------- d-----w- c:\program files\Rogers
2010-07-25 19:09 . 2010-07-25 19:09 -------- d-----w- c:\documents and settings\Scott\Application Data\AppClient
2010-07-24 15:05 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-24 14:52 . 2010-05-01 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 23:31 . 2006-01-09 19:59 -------- d-----w- c:\program files\EA SPORTS
2010-06-20 17:16 . 2008-08-30 19:02 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-14 14:31 . 2005-12-30 17:47 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-08 23:22 . 2010-05-08 23:22 162656 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-05-08 23:22 . 2010-05-08 23:22 292704 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-05-08 23:22 . 2007-01-21 22:52 37464 ----a-w- c:\documents and settings\Scott\Application Data\Juniper Networks\setup\uninstall.exe
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-11 172032]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2010-06-03 2736128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-10-22 23:53 30003200 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
2006-04-28 19:43 190024 ----a-w- c:\program files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-11 00:42 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rogers SHS]
2010-06-03 19:46 2736128 ----a-w- c:\program files\Rogers\SelfHealing\shs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [25/07/2008 8:09 PM 845184]
S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\SPIXNEW.SYS [07/03/2002 6:21 PM 95528]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/cust ... ch/ie.html
uSearchURL,(Default) = hxxp://ca.red.clientapps.yahoo.com/cust ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.nasc.biz/dana-cached/sc/Jun ... Client.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 08:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-31 08:55:08
ComboFix-quarantined-files.txt 2010-07-31 12:55
ComboFix2.txt 2010-07-29 23:09
ComboFix3.txt 2010-07-29 00:17

Pre-Run: 23,094,079,488 bytes free
Post-Run: 23,086,350,336 bytes free

- - End Of File - - 1CD03627B0657335B66F8BE4A094A548

[patrik]

Combofix log looks good. How is your PC now ?

[scott314]

Havent seen any new popups since. I think all is well now.
Thanks so much for your help.

[patrik]

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Remove tools, files or folders created during this cleanup operation.
Uninstall Combofix.

Click Start > Run - type ComboFix /uninstall
Press Ok.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore.

2. Update your programs.
Visit Microsoft Update (update.microsoft.com). Make sure that you have all the Critical Updates recommended for your operating system and IE. Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found.
Update all antivirus/antispyware programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

3. Make a new restore point.
Click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

4. Many of the exploits are directed to users of Internet Explorer.
Use only an alternate browser - Firefox or Opera.

5. Be careful when opening attachments and downloading files.

Safe surfing!