Think I've got some spyware thang going on...

nuley · December 20, 2009

My google search is being odd. It searches no probs and brings up credible websites, then when I click the link, I get redirected to sponsored sites or web domain hosts. I've run SpyBot SD and have upgraded PC guard/spyware but it's not changing. Every so often I get a (I think) bogus message allegedly from Windows saying I need to quarantine critical trojans and install firewalls. (I have firewalls.)

Any ideas how I could get back to basics, please? Thanks a million! Nuley

chiaz · December 21, 2009

Hi nuley,

A few things before we start....

1. Please Read All Instructions Carefully.

2. If you don't understand something, stop and ask! Don't keep going on.

3. Please do not run any other tools or scans whilst I am helping you.

4. If you have to go away for an extended period of time, let me know.

5. Please continue to respond until I give you the "All Clear".

(Just because you can't see a problem doesn't mean it isn't there)

Please download Malwarebytes' Anti-Malware by clicking the link below:

Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* You'll be required to post the contents of this log later.

Please Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log along with C:\ComboFix.txt for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

rodi · December 22, 2009

Also check DNS settings. Make sure that "Use the following DNS server addresses" is selected.

nuley · December 29, 2009

Dear Chiaz

Thank you very much for your help so far.

I have run MBAM which found 28 things and has dealt with them.

Windows then failed to restart normally so I chose 'last known good configuration' to get it running again.

I am now looking at the ComboFix guide and wonder if you would be able to advise me how I can effectively turn off my firewalls/guards etc as I am worried about missing one. I have:

SpyBot SD

Lavasoft AdAware SE

Virgin PC Guard (which does the spyware/virus scanning & firewall)

Tweaker (not sure what this is)

Uniblue (ditto)

CCleaner (ditto)

Norton (I think this is just a trial and not valid any more)

I suspect it might be quite simple but just want to be very cautious!

Then I'll download the ComboFix and carry on!

Thanks very much again

Nuley

chiaz · December 30, 2009

What you have to do is to turn off any programes that are currently running.

Venturing a guess here, probably only Virgin PC Guard is running on start-up. If that is the case, simply shutting that down would do.

nuley · December 31, 2009

Thanks again Chiaz, it worked just fine!

I have run both programs successfully and this is what ComboFix says:

ComboFix 09-12-30.02 - John 31/12/2009 12:31:46.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.515 [GMT 0:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\MailSwitch.ocx

c:\windows\patch.exe

c:\windows\system32\1081827863.dat

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\lowsec\user.ds.lll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :p

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))

.

2009-12-29 19:10 . 2009-12-29 19:10 54016 ----a-w- c:\windows\system32\drivers\qseuqxkm.sys

2009-12-29 18:54 . 2009-12-29 18:54 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes

2009-12-29 18:54 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-29 18:54 . 2009-12-29 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-29 18:54 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-29 18:54 . 2009-12-29 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-29 13:36 . 2009-12-29 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-27 13:18 . 2009-12-27 13:19 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

2009-12-20 15:54 . 2009-12-20 15:54 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-12-20 15:54 . 2009-12-20 15:54 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-31 12:52 . 2009-07-20 09:03 438560 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-12-31 12:50 . 2009-07-20 09:04 27892512 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-12-31 12:48 . 2009-07-20 09:04 375584 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-12-31 12:48 . 2009-07-20 09:03 43184 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-12-29 14:32 . 2009-07-19 12:48 -------- d-----w- c:\program files\iTunes

2009-12-29 13:38 . 2009-07-19 12:48 -------- d-----w- c:\program files\iPod

2009-12-29 13:37 . 2009-07-19 12:46 -------- d-----w- c:\program files\Common Files\Apple

2009-12-29 13:32 . 2009-07-19 12:47 -------- d-----w- c:\program files\QuickTime

2009-11-24 20:55 . 2008-09-16 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-11-12 17:07 . 2009-11-12 17:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-10-29 07:45 . 2004-01-08 15:23 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2002-08-27 11:43 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2002-08-27 11:43 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2002-08-27 11:43 79872 ----a-w- c:\windows\system32\raschap.dll

.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-07-04 188416]

"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 299008]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-27 185896]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digimax Viewer 2.1.lnk - c:\program files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-5-16 634880]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msuiyr32.exe,c:\windows\system32\sdra64.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [17/03/2003 17:03 49232]

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 15:58 693512]

R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 17:28 4937752]

R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [17/03/2003 17:03 139264]

R3 CVIAAUD;NEC VIA 3D Environmental Audio;c:\windows\system32\drivers\cviaaud.sys [01/01/1980 320864]

R3 CVIAHALA;CVIAHALA;c:\windows\system32\drivers\cviahal.sys [01/01/1980 214688]

R3 DUBE100B;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100B.sys [28/04/2007 09:30 18560]

R3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 12:10 170736]

R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]

R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]

R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]

S2 ImapiServiceCOMSysApp;IMAPI CD-Burning COM Service ImapiServiceCOMSysApp;c:\windows\system32\amr_cpli.exe srv --> c:\windows\system32\amr_cpli.exe srv [?]

S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 15:58 910600]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [01/01/1980 1432836]

.

Contents of the 'Scheduled Tasks' folder

2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.virginmedia.com

uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com

uInternet Settings,ProxyOverride = <local>;*.local

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - c:\apps\IECustom\script.htm

DPF: Microsoft XML Parser for Java - http://file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Scooby-Doo, Phantom of the Knight - c:\program files\The Learning Company\Scooby-Doo

AddRemove-Scooby-Doo, Showdown in Ghost Town - c:\program files\The Learning Company\Scooby-Doo

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-12-31 12:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\lowsec

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4213343257-1473697035-1497813335-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@SACL=

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(952)

c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(2888)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Virgin Broadband\PCguard\Fws.exe

c:\program files\Virgin Broadband\PCguard\rps.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe

.

**************************************************************************

.

Completion time: 2009-12-31 13:04:11 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-31 13:03

Pre-Run: 18,705,473,536 bytes free

Post-Run: 19,096,784,896 bytes free

- - End Of File - - CB421C79D07C688C67E1CB694EAAF7D1

This is MBAM:

Malwarebytes' Anti-Malware 1.42

Database version: 3450

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

29/12/2009 19:09:29

mbam-log-2009-12-29 (19-09-29).txt

Scan type: Quick Scan

Objects scanned: 114583

Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 9

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 6

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe ocqu.wro aacxtp) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\MyWay (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWay\myBar (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWay\myBar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWay\myBar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWay\myBar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Temp\2E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\MyWay\myBar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

Also, I got a little balloon popping up on bottom right hand side of task tray saying the computer's infected with a virus:

Packed.Win32.Krap.ae

C:\WINDOWS\Temp\F.tmp

I don't know if it's coincidental, but my internet seems to have speeded up since I ran MBAM.

Finally, just for info, I had a horrible virus back in 200(4?) ish which hijacked our dial-up to a premium rate porno site and the person who got rid of that for me said it was totally quarantined/crippled/dormant but he'd not been able to delete it entirely. It's still the same computer.

Thanks for all your kind help so far and happy new year!

Nuley

chiaz · December 31, 2009

Happy New Year Nuley. :)

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the red text in the quotebox below into it:

[color="Red"]FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys|c:\windows\system32\drivers\tcpip.sys
Folder::
c:\windows\system32\lowsec
File::
C:\WINDOWS\Temp\F.tmp
c:\windows\system32\drivers\qseuqxkm.sys
c:\windows\system32\msuiyr32.exe
c:\windows\system32\sdra64.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Userinit"=-[/color]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your new reply.

*Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

nuley · January 1, 2010

Hi Chiaz

Thanks, that was beautifully simple and easy to carry out!

This is the latest ComboFix log:

ComboFix 09-12-31.08 - John 01/01/2010 13:25:42.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.475 [GMT 0:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt

AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

FILE ::

"c:\windows\system32\drivers\qseuqxkm.sys"

"c:\windows\system32\msuiyr32.exe"

"c:\windows\system32\sdra64.exe"

"c:\windows\Temp\F.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\qseuqxkm.sys

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\msuiyr32.exe

c:\windows\system32\sdra64.exe

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\kernel32.dll

.

--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))