Jump to content

Recommended Posts

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Link to post
Share on other sites

Shut down McAfee. Could not find a uninstall utility. Combofix did three reboots. Clicked off hundreds of "bad image"

messages during the scan. All went well and the Bad image error mesages have stopped. Everything seems back to normal. See my combofix log and reply if it looks like my machine is well again.

ComboFix 09-06-25.01 - ed 06/25/2009 12:20.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1719 [GMT -7:00]

Running from: c:\documents and settings\ed\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\SKYNETwmkyfwxy.sys

c:\windows\system32\SKYNETitavrpqm.dll

c:\windows\system32\SKYNETiwdgbnyj.dat

c:\windows\system32\SKYNETmqxrdnql.dll

c:\windows\system32\SKYNETpmlalkit.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETeyqoexra

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))

.

2009-06-25 19:30 . 2009-06-25 19:30 -------- d-sh--w- C:\found.000

2009-06-24 23:15 . 2009-06-24 23:15 -------- d-----w- c:\program files\Trend Micro

2009-06-24 18:59 . 2009-06-24 18:59 -------- d-----w- c:\program files\ESET

2009-06-21 06:54 . 2009-06-21 06:54 -------- d-----w- c:\documents and settings\pat\Application Data\Malwarebytes

2009-06-21 06:28 . 2009-06-21 06:28 -------- d-----w- c:\documents and settings\pat\Local Settings\Application Data\Mozilla

2009-06-19 23:29 . 2009-06-19 23:29 -------- d-sh--w- c:\documents and settings\ed\IECompatCache

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\documents and settings\ed\Application Data\Malwarebytes

2009-06-19 21:35 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-19 21:35 . 2009-06-19 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-19 21:35 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-14 01:02 . 2009-06-14 01:02 -------- d-sh--w- c:\documents and settings\pat\PrivacIE

2009-06-14 01:02 . 2009-06-14 01:02 -------- d-sh--w- c:\documents and settings\pat\IETldCache

2009-06-11 18:13 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-06-11 18:13 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-06-01 00:12 . 2009-06-01 00:12 -------- d-----w- c:\documents and settings\ed\Local Settings\Application Data\Help

2009-06-01 00:05 . 2009-06-01 00:05 -------- d-----w- c:\documents and settings\ed\WINDOWS

2009-05-28 04:02 . 2009-05-28 04:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-05-27 20:20 . 2009-05-27 20:20 -------- d-sh--w- c:\documents and settings\ed\PrivacIE

2009-05-27 20:19 . 2009-05-27 20:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-05-27 20:19 . 2009-05-27 20:19 -------- d-sh--w- c:\documents and settings\ed\IETldCache

2009-05-27 20:16 . 2009-05-27 20:16 -------- d-----w- c:\windows\ie8updates

2009-05-27 20:16 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-05-27 20:15 . 2009-05-27 20:15 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-25 19:33 . 2008-12-10 19:52 -------- d-----w- c:\program files\Steam

2009-06-25 05:14 . 2008-06-10 22:57 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-06-23 16:56 . 2008-06-06 22:33 46816 ----a-w- c:\documents and settings\pat\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-23 06:12 . 2008-06-02 20:47 46816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-11 21:20 . 2008-06-02 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-13 05:15 . 2004-08-11 22:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 20:25 . 2009-05-12 20:25 28672 ----a-r- c:\documents and settings\ed\Application Data\Microsoft\Installer\{B4800BA5-33B2-44DE-8F5B-294ABDE10F0C}\_FC7C962C634D_4CDB_A7F2_189EDF9A7D54.exe

2009-05-07 15:32 . 2004-08-11 22:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-06 18:48 . 2009-05-06 18:48 -------- d-----w- c:\documents and settings\ed\Application Data\Quicken WillMaker

2009-05-06 18:48 . 2009-05-06 18:48 -------- d-----w- c:\program files\Quicken WillMaker Plus 2009

2009-05-06 18:39 . 2009-05-06 18:32 -------- d-----w- c:\program files\Quicken

2009-05-06 18:34 . 2009-05-06 18:34 3616768 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181311-181414.dll

2009-05-06 18:34 . 2009-05-06 18:34 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll

2009-05-06 18:33 . 2009-05-06 18:33 811008 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181212-181311.dll

2009-05-06 18:33 . 2009-05-06 18:33 1007616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181129-181212.dll

2009-05-06 18:33 . 2009-05-06 18:33 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE

2009-05-06 18:33 . 2009-05-06 18:33 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll

2009-05-06 18:33 . 2009-05-06 18:33 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd

2009-05-06 18:32 . 2009-02-23 21:06 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2009-05-06 18:32 . 2008-06-02 20:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-04-17 12:26 . 2004-08-11 22:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-08-11 22:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2008-06-02 20:31 . 2008-06-02 20:31 74 --sh--r- c:\windows\CT4CET.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]

"Steam"="c:\program files\Steam\Steam.exe" [2009-06-11 1217784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-10-26 184352]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-02 29744]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-12-14 244208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-18 8523776]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 221184]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-10 77824]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-04-07 128296]

"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2006-11-08 49152]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-01-15 16855552]

c:\documents and settings\ed\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\CyberLink\PowerDVD DX\000.fcl [8/21/2008 12:35 PM 41456]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [6/5/2008 1:27 PM 18432]

R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [6/5/2008 1:27 PM 14336]

R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [6/2/2008 1:30 PM 31616]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [12/14/2007 12:25 PM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [12/14/2007 12:25 PM 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [12/14/2007 12:25 PM 1112560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard79002003-08-20 21:57N41I320YQN8.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]

2009-06-25 c:\windows\Tasks\HP Usg Daily.job

- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-14 21:23]

2008-06-02 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-02 17:53]

2008-06-02 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-02 17:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html

IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-25 12:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1536859348-3542924172-1195159738-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:89,82,e6,97,5b,09,33,be,49,8d,e4,2e,78,36,b1,8d,f4,6d,69,52,a2,ba,9f,

3a,d1,ea,66,d1,ce,82,f6,46,a1,14,df,68,89,54,b8,11,f9,fe,f7,fe,d6,2d,6a,ce,\

"??"=hex:ce,63,c6,25,a0,dd,ce,ee,e2,7e,f5,9c,b3,b9,73,d3

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1404)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe

c:\windows\system32\pmxmiced.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\HPZipm12.exe

.

**************************************************************************

.

Completion time: 2009-06-25 12:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-25 19:35

Pre-Run: 941,152,706,560 bytes free

Post-Run: 941,551,910,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

204 --- E O F --- 2009-06-11 21:20

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

You were lucky that McAfee didn't interfere too much, because even when disabled, it may cause a lot of problems with Combofix and may lock some Combofix components while Combofix is removing malware or fixing other settings > result > Windows errors.

Anyway, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.