Jump to content

Recommended Posts

My Google search keep getting redirected, Mcafee disabled, internet running slow. Scan with SpyBot and removed all selected, scan with MBAM and came back with a few "skynet---- files", removed all and upon reboot seems to have deleted all, run MBAM again show no infection, check again with McAfee and SpyBot all showing nothing and no more redirection on Google. But a few hours later redirection came back and ran MBAM again and showing same "Skynet virus" files. Ran through same process several times and it keep coming back! Finally tried ComboFix in safe mode with internet disconnected and disabled Windows Restore and appears to have removed the Skynet files, ran MBAM showing nothing and also ran Hijackthis. I'm hesitated to reconnect my internet until I can confirm this virus is really removed and my system is clean. Would really appreciated it if someone can help me to take a look at this Hijackthis log below, also attached current cleaned MBAM log and Combofix log showing names of virus files, thank you very much.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:20:56 AM, on 6/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Canon\BJCard\Bjmcmng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton Save and Restore\Agent\NSRTray.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\explorer.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.turbotax.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...81/mcinsctl.cab

O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public1.uploader.officelive.com/_la...eX/MsnPUpld.cab

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 11265 bytes

mbam.txt

ComboFix.txt

mbam.txt

ComboFix.txt

Link to post
Share on other sites

Please do NOT attach logs unless requested to do so.

Do not run Combofix unless you are instructed to do so by a qualified malware removal advisor.

Malwarebytes' Anti-Malware 1.38

Database version: 2343

Windows 5.1.2600 Service Pack 2

6/30/2009 12:17:56 AM

mbam-log-2009-06-30 (00-17-56).txt

Scan type: Quick Scan

Objects scanned: 110593

Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Folder::

c:\documents and settings\All Users\Application Data\13219534

c:\documents and settings\All Users\Application Data\93229526

:\documents and settings\All Users\Application Data\13219534

2009-06-22 14:36 . 2009-06-22 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\93229526

ComboFix 09-06-29.04 - Administrator 06/29/2009 23:49.1 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1270 [GMT -7:00]

Running from: E:\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\temp\0c2

c:\temp\0c2\tmpFF.log

c:\temp\1cb

c:\temp\brr

c:\temp\fse

c:\windows\system32\drivers\fad.sys

c:\windows\system32\gjllm.ini

c:\windows\system32\mdm.exe

c:\windows\system32\quxyenky.ini

c:\windows\system32\SKYNETefqorivw.dat

c:\windows\system32\SKYNETlndsdtoy.dat

c:\windows\system32\tempchk

c:\windows\system32\ucojyonn.ini

c:\windows\system32\V1

c:\windows\system32\win

c:\windows\system32\X1

c:\windows\system32\X11

c:\windows\system32\X3

c:\windows\system32\X7

c:\windows\system32\Z1

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DOMAINSERVICE

-------\Service_SKYNETxouvxwqo

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))

.

2009-06-30 01:54 . 2009-06-30 01:54 -------- d-----w- c:\documents and settings\guest 1\Local Settings\Application Data\SupportSoft

2009-06-28 00:04 . 2009-06-28 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\Malwarebytes

2009-06-26 04:24 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-26 04:24 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-22 14:36 . 2009-06-22 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\13219534

2009-06-22 14:36 . 2009-06-22 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\93229526

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-27 06:22 . 2008-03-07 02:21 -------- d-----w- c:\program files\Folder Lock

2009-06-27 03:36 . 2004-01-24 04:03 -------- d-----w- c:\program files\Lavasoft

2009-06-27 03:36 . 2005-02-02 02:51 -------- d-----w- c:\documents and settings\Ted\Application Data\Lavasoft

2009-06-24 07:51 . 2008-10-28 06:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-24 07:49 . 2007-08-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-24 07:02 . 2007-05-03 01:46 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2009-06-24 06:27 . 2008-12-13 10:08 -------- d-----w- c:\program files\McAfee

2009-06-24 05:59 . 2006-03-01 01:47 -------- d-----w- c:\documents and settings\Ted\Application Data\uTorrent

2009-06-21 17:56 . 2006-12-11 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\U3

2009-06-21 17:49 . 2009-05-28 04:40 -------- d-----w- c:\documents and settings\Ted\Application Data\WinFF

2009-05-28 04:40 . 2009-05-28 04:40 -------- d-----w- c:\program files\WinFF

2009-05-23 04:34 . 2008-12-13 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-05-07 15:44 . 2008-08-05 00:43 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:31 . 2004-12-08 00:37 668160 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:31 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-04-17 09:58 . 2008-08-05 00:43 1846656 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 15:11 . 2004-12-04 04:50 584192 ----a-w- c:\windows\system32\rpcrt4.dll

2006-01-05 07:52 . 2006-01-05 07:52 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]

"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-09-29 385024]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-03 52896]

"Norton Save and Restore"="c:\program files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-12 1582744]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-01 180269]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]

"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk

backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ted^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=

"c:\\Program Files\\PPLive\\PPLive.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Ted\\Desktop\\DeskMisc\\utorrent.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 HFXP2;HFXP2;c:\windows\SYSTEM32\DRIVERS\hfxp2.sys [10/12/2004 2:24 PM 11392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1efb12b7-cd88-11dd-96d8-000bdbc1e9ec}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1efb12c4-cd88-11dd-96d8-000bdbc1e9ec}]

\Shell\AutoRun\command - E:\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5927c2a0-81db-11db-9661-000bdbc1e9ec}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84c7dfb4-19a7-11dd-96b2-000bdbc1e9ec}]

\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

.

Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53]

2009-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53]

.

- - - - ORPHANS REMOVED - - - -

BHO-{46617004-54D9-4720-97C9-4C3E23EA43AB} - c:\windows\system32\mlljg.dll

BHO-{6A501315-7ED9-424F-9714-0D92FDB8C90F} - c:\windows\system32\jkkli.dll

BHO-{97039C41-FBA1-45C8-B539-DB8730D5FB87} - c:\windows\system32\awvtr.dll

BHO-{9C2AC464-E172-4A8F-9028-C5A523E8B754} - c:\windows\system32\awvtr.dll

BHO-{A0892BA6-AF26-4DFC-8820-2C6CD669F62E} - c:\windows\system32\awvtr.dll

BHO-{F202E26F-87FB-409B-9AAC-5ABDB2CD10C2} - c:\windows\system32\geedd.dll

Notify-dimsntfy - (no file)

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

Trusted Zone: hotmail.com\www

Trusted Zone: live.com

Trusted Zone: live.com\login

Trusted Zone: live.com\mail

Trusted Zone: microsoft.com\www

Trusted Zone: msn.com\www

Trusted Zone: turbotax.com

Trusted Zone: yahoo.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - hxxp://public1.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cab

FF - ProfilePath - c:\documents and settings\Ted\Application Data\Mozilla\Firefox\Profiles\wpoc7pwc.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/|http://forums.slickdeals.net/forumdisplay.php?f=9|http://www.yahoo.com/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-29 23:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3148)

c:\progra~1\VERIZO~1\SMARTB~1\SBHook.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\progra~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Canon\BJCard\Bjmcmng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\McAfee\SiteAdvisor\McSACore.exe

c:\program files\Norton Save and Restore\Agent\VProSvc.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

.

**************************************************************************

.

Completion time: 2009-06-30 0:05 - machine was rebooted [Ted]

ComboFix-quarantined-files.txt 2009-06-30 07:05

Pre-Run: 9,834,319,872 bytes free

Post-Run: 8,967,229,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

236 --- E O F --- 2009-06-30 00:30

===================

Link to post
Share on other sites

First, disable Spybot's TeaTimer or be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

We have some more folders to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::
Folder::c:\documents and settings\All Users\Application Data\13219534c:\documents and settings\All Users\Application Data\93229526c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exec:\windows\pss\PowerReg Scheduler V3.exeStartup

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! This includes McAfee and Spybot Teatime.

Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdsk or any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that opens when it finishes.

Link to post
Share on other sites

First, disable Spybot's TeaTimer or be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

We have some more folders to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

Folder::

c:\documents and settings\All Users\Application Data\13219534

c:\documents and settings\All Users\Application Data\93229526

c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

c:\windows\pss\PowerReg Scheduler V3.exeStartup

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! This includes McAfee and Spybot Teatime.

Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdsk or any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that opens when it finishes.

Thank you for your help, just one question before I go ahead with your instructions above. Do I need to do this in safe mode?

Link to post
Share on other sites

Wanted C/P the log please.

Sorry, here's the C/P of the ComboFix log:

ComboFix 09-06-29.04 - Ted 06/30/2009 18:19.2 - NTFSx86

Running from: c:\documents and settings\Ted\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Ted\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\13219534

c:\documents and settings\All Users\Application Data\13219534\13219534.glu

c:\documents and settings\All Users\Application Data\93229526

.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))

.

2009-06-30 07:20 . 2009-06-30 07:20 -------- d-----w- c:\program files\Trend Micro

2009-06-30 01:54 . 2009-06-30 01:54 -------- d-----w- c:\documents and settings\guest 1\Local Settings\Application Data\SupportSoft

2009-06-28 00:04 . 2009-06-28 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\Malwarebytes

2009-06-26 04:24 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-26 04:24 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-27 06:22 . 2008-03-07 02:21 -------- d-----w- c:\program files\Folder Lock

2009-06-27 03:36 . 2004-01-24 04:03 -------- d-----w- c:\program files\Lavasoft

2009-06-27 03:36 . 2005-02-02 02:51 -------- d-----w- c:\documents and settings\Ted\Application Data\Lavasoft

2009-06-24 07:51 . 2008-10-28 06:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-24 07:49 . 2007-08-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-24 07:02 . 2007-05-03 01:46 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2009-06-24 06:27 . 2008-12-13 10:08 -------- d-----w- c:\program files\McAfee

2009-06-24 05:59 . 2006-03-01 01:47 -------- d-----w- c:\documents and settings\Ted\Application Data\uTorrent

2009-06-21 17:56 . 2006-12-11 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\U3

2009-06-21 17:49 . 2009-05-28 04:40 -------- d-----w- c:\documents and settings\Ted\Application Data\WinFF

2009-05-28 04:40 . 2009-05-28 04:40 -------- d-----w- c:\program files\WinFF

2009-05-23 04:34 . 2008-12-13 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-05-07 15:44 . 2008-08-05 00:43 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:31 . 2004-12-08 00:37 668160 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:31 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-04-17 09:58 . 2008-08-05 00:43 1846656 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 15:11 . 2004-12-04 04:50 584192 ----a-w- c:\windows\system32\rpcrt4.dll

2006-01-05 07:52 . 2006-01-05 07:52 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_06.59.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-01 01:28 . 2009-07-01 01:28 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat

+ 2009-07-01 01:28 . 2009-07-01 01:28 16384 c:\windows\temp\Perflib_Perfdata_674.dat

+ 2002-09-03 08:08 . 2009-06-30 19:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT

- 2002-09-03 08:08 . 2009-06-29 19:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT

+ 2002-09-03 08:08 . 2009-06-30 19:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

- 2002-09-03 08:08 . 2009-06-29 19:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

+ 2002-09-03 08:08 . 2009-06-30 19:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT

- 2002-09-03 08:08 . 2009-06-29 19:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]

"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-09-29 385024]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-03 52896]

"Norton Save and Restore"="c:\program files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-12 1582744]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-01 180269]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]

"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

[bU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk

backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ted^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=

"c:\\Program Files\\PPLive\\PPLive.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Ted\\Desktop\\DeskMisc\\utorrent.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S0 HFXP2;HFXP2;c:\windows\SYSTEM32\DRIVERS\HFXP2.SYS [2004-10-12 11392]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

S2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2006-04-12 2111128]

.

Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53]

2009-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53]

.

- - - - ORPHANS REMOVED - - - -

BHO-{46617004-54D9-4720-97C9-4C3E23EA43AB} - (no file)

BHO-{6A501315-7ED9-424F-9714-0D92FDB8C90F} - (no file)

BHO-{97039C41-FBA1-45C8-B539-DB8730D5FB87} - (no file)

BHO-{9C2AC464-E172-4A8F-9028-C5A523E8B754} - (no file)

BHO-{A0892BA6-AF26-4DFC-8820-2C6CD669F62E} - (no file)

BHO-{F202E26F-87FB-409B-9AAC-5ABDB2CD10C2} - (no file)

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

Trusted Zone: hotmail.com\www

Trusted Zone: live.com

Trusted Zone: live.com\login

Trusted Zone: live.com\mail

Trusted Zone: microsoft.com\www

Trusted Zone: msn.com\www

Trusted Zone: turbotax.com

Trusted Zone: yahoo.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - hxxp://public1.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cab

FF - ProfilePath - c:\documents and settings\Ted\Application Data\Mozilla\Firefox\Profiles\wpoc7pwc.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/|http://forums.slickdeals.net/forumdisplay.php?f=9|http://www.yahoo.com/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-30 18:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2480)

c:\progra~1\VERIZO~1\SMARTB~1\SBHook.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Canon\BJCard\Bjmcmng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

.

**************************************************************************

.

Completion time: 2009-07-01 18:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-01 01:38

ComboFix2.txt 2009-06-30 07:05

Pre-Run: 8,967,499,776 bytes free

Post-Run: 8,951,963,648 bytes free

202 --- E O F --- 2009-06-30 00:30

Link to post
Share on other sites

Good job!

No trace of SKYNET.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Link to post
Share on other sites

Good job!

No trace of SKYNET.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.

  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.

  • Check the "Yes, I accept the terms of use" box.

  • Click "Start"

  • Check the boxes the following two boxes:
    • enable "Remove found threats"

    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.

    • Now open a run line by clicking Start >> Run...

    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:

    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

So I have to use Internet Explorer to do the ESET scan, FireFox won't work? The reason is because my IE browser was hijacked several years ago and was totally damaged somehow and I had switched over to Firefox ever since, I don't think it work anymore. Last time I tried to upgrade to IE7 I got a bunch of errors when I attempt to install it. Are there other options I can go from here (other online scanners) ? If not, I will have to try and download IE7 again and go from there, thanks again for all your help.

Link to post
Share on other sites

Then you can't download windows updates if you cannot use IE which will make you very vulnerable.

You must try to fix that.

In the meantime - As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer.

1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.

2. Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, an Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode.

3. Double-click on randomly named EXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear.

4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".

5. Once the short scan has finished, Click Options --> Change settings

6. Choose the "Scan tab" and UNcheck "Heuristic analysis"

7. Back at the main window, click "Complete Scan"

8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.

9. When done, a message will be displayed at the bottom advising if any threats were found.

10. Click "Yes to all" if it asks if you want to cure/move the file.

11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".

(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.

13. Save the DrWeb.csv report to your desktop.

14. Exit Dr.Web Cureit when done.

15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.

16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad).

In your next reply, please include the following:

  • Dr.Web Log
Link to post
Share on other sites

Then you can't download windows updates if you cannot use IE which will make you very vulnerable.

You must try to fix that.

In the meantime - As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer.

1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.

2. Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer

  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

  • Instead of Windows loading as normal, an Advanced Options Menu should appear

  • Select the first option, to run Windows in Safe Mode.

3. Double-click on randomly named EXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear.

4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".

5. Once the short scan has finished, Click Options --> Change settings

6. Choose the "Scan tab" and UNcheck "Heuristic analysis"

7. Back at the main window, click "Complete Scan"

8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.

9. When done, a message will be displayed at the bottom advising if any threats were found.

10. Click "Yes to all" if it asks if you want to cure/move the file.

11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".

(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.

13. Save the DrWeb.csv report to your desktop.

14. Exit Dr.Web Cureit when done.

15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.

16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad).

In your next reply, please include the following:

  • Dr.Web Log

Thanks for the advise regarding fixing the IE problem, actually I have been able to do regular Windows updates without any issues. I will try to reinstall/update to IE8 after fixing this virus problem. Here's the log of Dr. Web after the scan in safe mode, looks like there's a bunch of stuff hidden in system restore even though I already turn off the window system restore function. Please review, thanks.

RegUBP2b-Ted.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

couponprinter.exe\data012;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs\couponprinter.exe;Adware.Coupons;;

couponprinter.exe;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs;Container contains infected objects;Moved.;

spywareblastersetup351.exe\data001;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs\spywareblastersetup351.exe;Trojan.Packed.149;;

spywareblastersetup351.exe;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs;Archive contains infected objects;Moved.;

NOD32.FiX.v1.9.exe;C:\New Programs\NOD32 v2.51.8 + Crack;Trojan.Click.17167;Deleted.;

spywareblaster.exe;C:\Program Files\SpywareBlaster;Trojan.Packed.149;Deleted.;

A0000015.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1;Trojan.StartPage.1505;Deleted.;

A0000266.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.StartPage.1505;Deleted.;

A0000267.exe\data012;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000267.exe;Adware.Coupons;;

A0000267.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Container contains infected objects;Moved.;

A0000268.exe\data001;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000268.exe;Trojan.Packed.149;;

A0000268.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Archive contains infected objects;Moved.;

A0000269.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.Click.17167;Deleted.;

A0000270.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.Packed.149;Deleted.;

Link to post
Share on other sites

Hi thl777,

I am glad you are able to get Windows Updates because that is very important from a security perspective.

We'll purge the system restore data and then you will no longer get those detections.

It looks as if DrWeb flagged a false positive - the SpywareBlaster's Installer

We have a few steps to finish up now.

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\Combo-Fix.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

Hi thl777,

I am glad you are able to get Windows Updates because that is very important from a security perspective.

We'll purge the system restore data and then you will no longer get those detections.

It looks as if DrWeb flagged a false positive - the SpywareBlaster's Installer

We have a few steps to finish up now.

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK

  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\Combo-Fix.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.

  • It will flush your system restore points and create a new restore point.

  • It will rehide your system files and folders

  • Reset your system clock

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Thank you very much for all your helps, I will follow your advice above and finish it up as soon as I can find some time tormorrow. I plugged back into the internet and so far everything seems to be normal, no more Google redirecting. One thing I just did was trying to update window with XP SP3 but ran into some problem. About 10 minutes into the installation I got an error message identified as "Service Pack 3 setup error", telling me that Service pack 3 setup could not backup registry key HKCR\RDS.DataControl.2.81 to file C;\windows\$NTService Pack uninstall$\reg00801. 5:Access is denied. Gave me options to retry, or ignore. Retry didn't work so I click ignore, it went on for another 5 minutes and then a second error message saying "Access is denied" and forced me to quit the installation.

I had Mcafee turned off and also Spybot Teatimer turned off, not sure why its having problem, any idea what may have caused this? Thanks.

Link to post
Share on other sites

See if this helps with the SP3 install error:

http://www.winhelponline.com/blog/reset-th...-in-windows-xp/

There is way to download the standalone SP3 installer and then add the Windows Installer service to the safeboot keys so the install can be done in safe mode with no interference.

Ok, I will take a look at that, again, thank you so much for your helps.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.