Mrlewp infection thread

M

mrlewp

New Member
Namely ... tukdtjsar.exe , and zly0i.exe. (from memory, believe correct.) They both keep appearing, either in Windows\temp , or system32 folders, and both! Also in "prefetch" folder. I tried 2 free removal tools - neither would run! Windows Defender stopped them, and now way to fix that, that I can tell.

I'm manually cleaning the registry. In a SuperAntiSpyware folder, the are two sub-folders. One is "InUsefiles" , the other "InUseRegistry". I find both the
problem ".exe" files listed in one or both, plus others related, which were found by SuperA'Spyware.
By "INUSE" , does that mean that S.A.Spyw. is keeping a log of them. Or, just the opposite , for ex., they are to be ignored ! by the spyware program??
Thanks
 
mrlewp said:
Namely ... tukdtjsar.exe , and zly0i.exe. (from memory, believe correct.) They both keep appearing, either in Windows\temp , or system32 folders, and both! Also in "prefetch" folder. I tried 2 free removal tools - neither would run! Windows Defender stopped them, and now way to fix that, that I can tell.

I'm manually cleaning the registry. In a SuperAntiSpyware folder, the are two sub-folders. One is "InUsefiles" , the other "InUseRegistry". I find both the
problem ".exe" files listed in one or both, plus others related, which were found by SuperA'Spyware.
By "INUSE" , does that mean that S.A.Spyw. is keeping a log of them. Or, just the opposite , for ex., they are to be ignored ! by the spyware program??
Thanks
Click to expand...

If you are having an infection problem then please download and run the following programs and post their logs in the security section of this forum and I'll gladly help you clean up your system.

http://www.computerforum.com/computer-security/

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
 
Reply to Spyware Post...... ( I think!?)

(( this is the first time I've ever returned to a forum post, and found a slew of topics?? Only ONE REPLY button , bottom of page? So, who knows what I'm replying to?...))

Mr. "JOHNB35" ------- This is real damn scary now. I tried several times, at several sites, to download Malwarebytes, and all three of the RKILL files. Each and every time I go to my Download folder, they ALL show as "0" kbs !! in size.!? Many times trying to reach a site using the links, I got the blank browser and 'Problem retrieving this webpage...." or whatever !
..... another curious thing. I dont remember this in the past, but each time I thought! I was downloading a file, the "file type" at bottom would reset to "BINARY" as file type?? WHaaa...? The other option was "ALL files" which is what I selected, finding all attempts resulted in "0" sized files. It didnt matter, anyway.
...... I'm not getting any pop-up from Win Defender, or anything else when trying to get the files. No idea what's going on here.
Thanks for previous, look forward to ideas for proceeding.
 
Do you have a usb flash drive available? I would recommend to download those files from a different computer and then save them to the flash drive and then install them to the infected computer and then run them.
 
............. sorry guys! topic turn-about

After reading STRANGLEHOLDS comment, it is entirely possible that I was first to
stray from the topic. I thought I was posting a new thread in the main windows 7 forum. Perhaps not? Couldn't a moderator smack me upside da head, and move the thread? ha. Or has it gone too far?
I'll be more careful next time.
 
mrlewp said:
After reading STRANGLEHOLDS comment, it is entirely possible that I was first to
stray from the topic. I thought I was posting a new thread in the main windows 7 forum. Perhaps not? Couldn't a moderator smack me upside da head, and move the thread? ha. Or has it gone too far?
I'll be more careful next time.
Click to expand...

I'm moving your issue and posts to the security section of the forum it will be labeled "mrlewp infection thread". After moving the thread to your own topic I will post further instructions.

Our forum involves all windows operating systems, as we don't have a separate subforum for each one.
 
Again, I need to know if you have a usb flash drive available to use? Your next step would be to download and run the following program. Download it from a different computer and save it to the flash drive. On your infected computer, boot up in safe mode and then copy the combofix file from the flash drive and put it on your desktop. Then run it.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • An update on how your computer is running
 
MalwareBytes and HijackThis logs;

Had to use the other PC to get the install files. Here are the 2 logs requested.
Heard of MalwareBytes, not sure why I never tried it. I can see some "undesirables" in the logs. That "MyWebsearch" (? or variation) ... I've been trying to keep that cleaned out for quite a while. (since ".log" wasn't in the OK
file list, I added ".txt" to the name.)
Thanks to all, for your time here.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6351

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

4/13/2011 12:19:39 PM
MalwareBytes Log-4.13.2011.txt

Scan type: Quick scan
Objects scanned: 173397
Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 19
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
c:\Windows\Temp\cfooyvp.exe (Trojan.Downloader) -> 4836 -> No action taken.

Memory Modules Infected:
c:\Windows\System32\nwcwks.dll (Trojan.Inject) -> No action taken.
c:\Windows\System32\nwsapagents.dll (Trojan.FakeMS) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1 (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\MSWinsock.Winsock (Worm.Nyxem) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PLUG MANAGER (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\r3nd (Trojan.Downloader) -> Value: r3nd -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cftmon (Trojan.Agent) -> Value: cftmon -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Manager (Trojan.Agent) -> Value: Manager -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\apps (Trojan.Agent) -> Value: apps -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Value: 1 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mjte (Trojan.Downloader) -> Value: mjte -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Plug Manager\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\nwcwks.dll (Trojan.Inject) -> No action taken.
c:\Windows\System32\nwsapagents.dll (Trojan.FakeMS) -> No action taken.
c:\Windows\Temp\cfooyvp.exe (Trojan.Downloader) -> No action taken.
c:\Windows\System32\cftmon.exe (Trojan.Agent) -> No action taken.
c:\Windows\Temp\ubxitfkx.exe (Trojan.Agent) -> No action taken.
c:\Windows\Fonts\services.exe (Trojan.Agent) -> No action taken.
c:\Windows\System32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.
c:\Windows\System32\write.exe (Trojan.FakeMS) -> No action taken.
c:\Windows\Temp\m0tnw4srj.exe (Malware.Packer.Gen) -> No action taken.
c:\Windows\Temp\VRT138.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRT195.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRT2847.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRT559E.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRT5772.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRT80B.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRTAD8.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRTCCC.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRTE0DC.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRTEEE0.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\VRTFBFA.tmp (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\yji5xb5y.exe (Trojan.Agent) -> No action taken.
c:\Windows\write.exe (Trojan.FakeMS) -> No action taken.
c:\Windows\System32\service.sys (Rootkit.Agent) -> No action taken.
c:\Windows\System32\tukdtjsr.exe (Trojan.Downloader) -> No action taken.
c:\Windows\Temp\Plug.bat (Trojan.Agent) -> No action taken.


Logfile of HijackThis v1.99.1
Scan saved at 11:15:03 AM, on 4/13/2011
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Seagate\FreeAgent_Theater\AgrregationStatus\stxmediamenumgr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe
C:\Program Files\YoWindow\yowindow.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\explorer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wuauclt.exe
I:\AD-SpyWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: Bandoo IE Plugin - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [FreeAgentTheaterTrayIcon] "C:\Program Files\Seagate\FreeAgent_Theater\AgrregationStatus\StxMediaMenuMgr.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [cftmon] "C:\Windows\system32\cftmon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SmAudio] C:\Program Files\Conexant\SmartAudio\SmAudio.exe -c
O4 - Startup: YoWindow.lnk = C:\Program Files\YoWindow\yowindow.exe
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O15 - Trusted Zone: http://axcrypt.brothersoft.com
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: http://techrepublic.com.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: http://*.sourceforge.net
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.3.cab
O16 - DPF: {72376E32-8AF2-473F-BE32-E5D0F39C865D} (CUpdateAdvisorCtrl Object) - http://www.cyberlink.com/prog/win7/js/UpdateAdvisor.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30011 (AppHostSvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bandoo Coordinator - Bandoo Media Inc. - C:\PROGRA~1\Bandoo\Bandoo.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\System32\bgsvcgen.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid, Inc. All rights reserved. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Avid, Inc. All rights reserved. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Seagate FreeAgent Theater (FreeAgentTheater Service) - Seagate Technology LLC - C:\Program Files\Seagate\FreeAgent_Theater\Sync\MediaAggreService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MouseDriver - Unknown owner - C:\Users\MYAUDI~1\AppData\Local\Temp\MouseDriver.bat
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PACE License Services (PaceLicenseDServices) - PACE Anti-Piracy, Inc. - C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe
O23 - Service: Plug Manager - Unknown owner - C:\Windows\temp\Plug.bat
O23 - Service: Quality Windows Audio Video Experience (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 

Attachments

Last edited by a moderator:
(new threads at the top ? new for me, but I think it's an option?)

Anywhoozit.......... Those "RKILL" .exe's were only if I had trouble installing
Malwarebytes, I believe is correct?
So I'm to do the ComboFix scan now. I just tried, and still cant download anything on this laptop. Back to the XP machine.
Anyone have a look at the logs? Bunch of nasty stuff there !
I'll get back later after the Safe Mode / ComboFix journey.
Thanks, again.
 
Do not attach any logs to your posts unless I ask you to. Just copy and paste your logs inside your reply.

Did you click on remove selected in malwarebytes so that it deleted those infections? If not, then you need to rerun the malwarebytes scan making sure you click on remove selected after it shows you the infections it found and post both logs again. Please uninstall the version of hijackthis you have as its an older version and download the one from my link.

http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi

You are still very badly infected. Please go ahead and run combofix for me.
 
Last edited:
I thought the scan log needed viewing before any cleaning. Think that's a yes, but I also thought I was to wait for best suggested next move. Am I to be secure in letting M'wBytes wipe everything listed? Sounds that way.
Any scan I've ever done whether for infections, or registry cleaning - I back out of the majority, sometimes selecting a scant few. Reason is, mainly for registry scans - I can go into explorer and find many of the scan results items right there, in whatever folder - despite the registry scan saying it's "missing". Happens every time. Fully working program folder files, system files, you name it. I check and they're there! Makes me very weary about ever doing the 100% cleaning suggested by whatever particular app doing the scan. If you've looked it over, JB35, and find it safe to "clean selected"..
all in this case, I'll to ahead with it.
.......about the attachments. Never done it. I was thinking after I uploaded the logs they would appear in the post. Even tho' I know better, having done
the same thing within email messages.
........ I've been out, and I'm burnt out on PC snags for tonite at least. I'll follow up and do what's been recommended, in the morning. Thanks.
 
It's not recommended to use registry cleaners as most of the time they cause more issues then they actually fix. Whatever malwarebytes finds please go ahead and have it remove everything. You are severely infected. Rerun malwarebytes and post the log and then run combofix and post its log, then post a fresh hijackthis log after downloading the latest version.
 
...contd.; laptop infection

johnB35 ; This morning I ran MalwBytes and chose for all files to be dealt with - removed/quarantined? Later I ran it again, dont ask why. It found 5 more files. (possible leftover, or not having run ComboFix yet?)
.... TWO of these files I checked first. In the winsyx (?)... it's where the very long folders rest, beginning with x86_microsoft _________ etc. The properties of these files stated as Msoft files, with all data fields filled as is usually seen. I unchecked those two, and allowed MWBytes to clean the 2 .tmps , and a pest that has been in the "processes" window for days now.
"cfooyvp.exe" <<< Perhaps ComboFix would deal with that one?
.......Problem is ; I cant get this HP W7 laptop to boot into Safe Mode. Three
times it proceeded to, displaying a long list of files.... but then would always
go on to start Windows. I KNOW about msconfig ; and the Safe Boot option there. But, before I tried that a few weeks ago , I researched it. I found far
too many horror stories of peoples PCs never running right again. Some having to do complete re-installs of the OS. Loss of data, files etc. If it was
only 1 0f 10, it was enough to cause me to keep trying a different option until
nothing else worked. (it was this XP pc actually, and turned out the CMOS battery was dead ! I did a full recovery anyway, but wasnt prepared to when I considered the msconfig / safe boot option )
....... So, what now? Only way I'm getting into Safe Mode to run ComboFix is
the msconfig / safe boot option ? Googling this problem , only success I found, ..... was that very method.
Thoughts.
 
I have asked you to allow malwarebytes to remove anything it finds. If it deletes something it shouldn't then we can we can restore it back to where it was.

If you want me to help you, then I need you to follow my directions and post the requested logs I am asking for.

1. I need to see all the malwarebytes logs you have ran. Please run a new malwarebytes scan and let it remove whatever it finds. Then I need you to click on the logs tab in malwarebytes and then open each log and then copy and paste the logs into your reply.

2. Please download and run combofix and run it. Post the combofix log that pops up on the screen after it runs by copying and pasting the log into your reply.

3. After running malwarebytes and combofix, please post a fresh hijackthis log, again by copying and pasting.
 
(i've posted since the last shown ?)
Been away for 4 days, but on this thing daily. I've done repeated MalwareBytes scans and come up clean. Same using SuperAntiSpyware (?... on the infected laptop). I've repeatedly scanned individual suspect folders, and some files alone.....since finding the right-click option for MwBytes. (context menu?) That's interesting, because I cant find that- and cant perform that function if MwBytes is already open. Clean !! All around.
Registry - clean.... repeatedly.
........ BUT, the instant I log on, Avast AntiVirus goes into non-stop pop-up warnings, that it's "blocked" all sorts of pests. Then why does the infection return with a vengeance ?? BTW, one that it claims to have blocked .. is the infamous "scvhost".

RECURRING problems; ** cant install new programs >>> "WINDOWS SECURITY" warnings. Learned about that recently.
*** Cant run ComboFix ! --Windows Security again!
*** CANT get real-time scanning to work with Avast, for > mail, and >web.
The "START" button is high-lighted as active for both, but they do nothing!
*** NEW !! All links to drives produce this alert "No such interface...." I've also
read some on that, but not had time to take actions. The only way I can
view drives is within a "Save As" for instance, or other sub-functions.
****** CANT get to Safe Mode by using F8 !! to run ComboFIx, for ex.
AGAIN I ask, do you feel I should use the msconfig "Safe Mode" boot option
despite all the negatives I've read about after-results from doing that?

......... I think I've covered it all. Need to get outta here for appointment. What now?
 
You must log in or register to reply here.
Back
Top