Hello,

My computer was injected with Win32:JunkPoly-B. I followed the instructions on this forum to clean it. Here is a copy of the “hijackthis log” file. Can you please tell me if it has been properly cleaned. Or what my next step is?

Mary

PS the instructions that I followed were in another post regarding “JunkPoly-B” on this forum and were as follows:
"I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector."
   ==========================================================================================
   Since posting this original thread I saw a more recent post in “Logs to Assist in Cleaning Malware” that said to run MBAM and OTL and attach the Logs from these. So I am now attaching these log files. (mbam-log & Extras Log) I will submit the “OTL log” in another post due to file size restrictions.

PLEASE ADVISE ON WHAT I SHOULD DO NEXT OR IF ALL LOOKS OK. THANK YOU!

Additional scan log file as per above post:
(OTL log posted here due to file size restrictions)

Additional scan log file as per above post:
(EXTRAS log posted here due to file size restrictions)

PLEASE ADVISE ON WHAT I SHOULD DO NEXT OR IF ALL LOOKS OK.
THANK YOU!

Essexboy is notified…
He is usually in here from 8:00pm to 11:59pm UK time

The below is for information only. Please do nothing without instructions from Essexboy.

While I do not normally mind doing HJT log analyzing, this one has over 50 entries that are similar with only minor differences. These differences I am not familiar with enough to offer advice. There are 2 other problems (one is no name, no file) and one of those is a toolbar that is suspect to me. Research results for AirMiles Toolbar is about equally good/bad. I suspect it is spyware/adware and most such toolbars are just that.

At the time of the HJT log, Overview of running tasks:

smss.exe
System process
Session Manager Subsystem

winlogon.exe
System process
Microsoft Windows Logon Process

services.exe
System process
Windows Service Controller

services.exe
System process
Microsoft Windows Operating System

lsass.exe
System process
Local Security Authority Service

lsass.exe
System process
Microsoft Windows Operating System

svchost.exe
System process
Microsoft Service Host Process

svchost.exe
System process
Microsoft Windows Operating System

MsMpEng.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

svchost.exe
System process
Microsoft Service Host Process

svchost.exe
System process
Microsoft Windows Operating System

AvastSvc.exe
Virusscan
avast! Antivirus

Explorer.EXE
System process
Microsoft Windows Explorer

spoolsv.exe
System process
Microsoft Printer Spooler Service

spoolsv.exe
System process
Microsoft Windows Operating System

ehtray.exe
Backgroundtask
Microsoft Media Center Tray Icon

PhotoshopElementsFileAgent.exe
Backgroundtask
Adobe Photoshop Elements

agrsmsvc.exe
Driver
Modem Service

Iaanotif.exe
Driver
Event Monitor User

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

arservice.exe
System process
Media Center Away Mode Service

rundll32.exe
System process
Microsoft Rundll32

rundll32.exe
System process
rundll

CATSysDemon.exe
Backgroundtask
Backbone Service (BBDemon

HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler

KBD.EXE
Backgroundtask
Multimedia keyboard manager.

MSASCui.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

VBTUCopy.exe
Unknown task ( Button triggered USB copy utility )
Unknown task http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=14716

apdproxy.exe
Application
Adobe Photoshop Album

Acrotray.exe
Backgroundtask
Acrobat Traybar Assistant

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

ehRecvr.exe
Backgroundtask
Media Center Receiver Service

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

RUNDLL32.EXE
System process
Microsoft Rundll32

AirPlusCFG.exe
System process
D-Link AirPlus XtremeG wireless configuration utility

WZCSLDR2.exe
System process
ALPHA Networks wireless driver

realsched.exe
Application
RealNetworks Scheduler

ehSched.exe
Backgroundtask
Media Center Scheduler Service

jusched.exe
Backgroundtask
Sun Java Update Scheduler

avastUI.exe
Virusscan
avast! Antivirus

StxMenuMgr.exe
Unknown task ( Seagate FreeAgent )
Unknown task http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=12013

FreeAgentService.exe
Driver
Sync

iTunesHelper.exe
Application
Apple Itunes

ctfmon.exe
System process
Alternative User Input Services

LogitechDesktopMessenger.exe
Backgroundtask
Logitech Desktop Messenger

wcescomm.exe
System process
Microsoft ActiveSync Connection Manager

Iaantmon.exe
Driver
Intel Application Accelerator Component

rapimgr.exe
Backgroundtask
Microsoft ActiveSync Module

jqs.exe
Backgroundtask
Java Quick Starter Service

LSSrvc.exe
Backgroundtask
NERO Light Scribe Module

MDM.EXE
Backgroundtask
Machine Debug Manager

nvsvc32.exe
Application
NVIDIA Driver Helper Service

svchost.exe
System process
Microsoft Service Host Process

svchost.exe
System process
Microsoft Windows Operating System

YahooAUService.exe
Backgroundtask
Yahoo! AutoUpdater

ELService.exe
Driver
Intel(R) Quick Resume Technology driver

ehmsas.exe
System process
Microsoft Media Center State Aggregator Service

Tablet.exe
Backgroundtask
Wacom Win32 Tablet Service

TabUserW.exe
Backgroundtask
Wacom Pen Tablet Module

Tablet.exe
Backgroundtask
Wacom Win32 Tablet Service

FNPLicensingService.exe
Backgroundtask
Activation Licensing Service

iPodService.exe
Backgroundtask
Apple iTunes

dllhost.exe
System process
Microsoft DCOM DLL Host Process

hpsysdrv.exe
Application
Hewlett-Packard Monitoring Tool

SUPERAntiSpyware.exe
Anti Add/Spyware software
SUPERAntiSpyware

HijackThis.exe
Application
Merijn Hijackthis

JunkPoly detections could detect some keygens or cracked stuff as a side effect (because they often look very suspicious)… but you know - who wants to play with fire…

anyway, the path and name of detected file would help here

This is a similar infection to yip24

Once these files are quarantined I will give some instructions on uploading them to Avast - This one inserts itself in the Appcert chain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL MOD - [2011/01/23 13:03:35 | 000,058,880 | -H-- | M] () -- C:\WINDOWS\system32\calcuery.dll O36 - AppCertDlls: dpvsclip - (C:\WINDOWS\system32\calcuery.dll) - C:\WINDOWS\system32\calcuery.dll () [2011/01/25 03:00:00 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\xpcwmrpd.job [2011/01/24 23:10:10 | 000,011,034 | ---- | M] () -- C:\WINDOWS\System32\345.js [2011/01/07 01:10:03 | 000,011,261 | ---- | M] () -- C:\WINDOWS\System32\saad.js [2011/01/23 13:03:35 | 000,058,880 | -H-- | C] () -- C:\WINDOWS\System32\calcuery.dll [2010/08/21 11:03:15 | 000,002,848 | ---- | C] () -- C:\WINDOWS\etivunebur.dll [2010/08/21 10:52:31 | 000,002,848 | ---- | C] () -- C:\WINDOWS\ogiwaqiqamal.dll [2010/08/21 10:48:39 | 000,002,848 | ---- | C] () -- C:\WINDOWS\evinumatoy.dll [2010/08/21 10:40:04 | 000,002,848 | ---- | C] () -- C:\WINDOWS\ipihukoziyequki.dll :Files ipconfig /flushdns /c C:\WINDOWS\Tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi;
Thanks for the additional instructions … I am attaching tonights additional OTL log file and the ComboFix log. Also, I am going to attach a .jpg file with the very original system scan & Boot Scan results, as I believe that is what Maxx_original was asking for.
Please advise me as to what my next step is, and what shape my PC is in at the moment. Thanks!
m

the initial JunkPoly hit was rather a FP on custom packer/obfuscator… but there’s certainly something fishy in your logs… follow essexboy’s advice to carry out the rest of cleaning and we’ll be interested in getting the particular samples

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls not found. File C:\WINDOWS\system32\calcuery.dll not found. File C:\WINDOWS\tasks\xpcwmrpd.job not found. File C:\WINDOWS\System32\345.js not found. File C:\WINDOWS\System32\saad.js not found. File C:\WINDOWS\System32\calcuery.dll not found. File C:\WINDOWS\etivunebur.dll not found. File C:\WINDOWS\ogiwaqiqamal.dll not found. File C:\WINDOWS\evinumatoy.dll not found. File C:\WINDOWS\ipihukoziyequki.dll not found.

Just to clarify, am I right in thinking that you want me to cut & paste the following into the custom area of the OTL screen before running another Quick Scan?

==== Do I cut & paste this into the OTL before running a QUICK SCAN?====
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls not found.
File C:\WINDOWS\system32\calcuery.dll not found.
File C:\WINDOWS\tasks\xpcwmrpd.job not found.
File C:\WINDOWS\System32\345.js not found.
File C:\WINDOWS\System32\saad.js not found.
File C:\WINDOWS\System32\calcuery.dll not found.
File C:\WINDOWS\etivunebur.dll not found.
File C:\WINDOWS\ogiwaqiqamal.dll not found.
File C:\WINDOWS\evinumatoy.dll not found.
File C:\WINDOWS\ipihukoziyequki.dll not found.

-or- … do I just open OTL and run Quick Scan as is?

m

On second look … you just want me to run a new OTL QUICK SCAN … with NO MODIFICATIONS to the settings at all … correct?

m

Hi;
Here is this evenings OTL - QUICK SCAN log. I ran it twice because I forgot to check “All users” the first run. So I ran it again, with “All users” checked, but no other modifications to the settings at all … and nothing pasted into the ‘custom’ area.
What do you think? Are things looking up at all? ???
m

Not there now ;D so what problems do you have now ?

Could you do the following for me please go to this folder C:_OTL there should be some subdirectories there
is there anything in this subdirectory [b]C:\WINDOWS\system32[/b] ?

Hi;
Things seem ok now. I just wasn’t sure what all the logs you were asking for were telling you (ie. Whether there were issues in them that I wouldn’t be seeing). I am going to run one more full scan tonight out of paranoia.

There are screen shots attached of the C:_OTL folder in general and in the C:\WINDOWS\system32\ ? folder in particular, per your request.
Question?: Do I leave the C:_OTL directory there? Or can I delete it? What is the reason for its creation?

Thanks so much for the help. ;D

m

OTL did not remove them so I am just curious how the registry entries and file disappeared from one log to the next ???

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe