thl777 Posted June 30, 2009 ID:94589 Share Posted June 30, 2009 My Google search keep getting redirected, Mcafee disabled, internet running slow. Scan with SpyBot and removed all selected, scan with MBAM and came back with a few "skynet---- files", removed all and upon reboot seems to have deleted all, run MBAM again show no infection, check again with McAfee and SpyBot all showing nothing and no more redirection on Google. But a few hours later redirection came back and ran MBAM again and showing same "Skynet virus" files. Ran through same process several times and it keep coming back! Finally tried ComboFix in safe mode with internet disconnected and disabled Windows Restore and appears to have removed the Skynet files, ran MBAM showing nothing and also ran Hijackthis. I'm hesitated to reconnect my internet until I can confirm this virus is really removed and my system is clean. Would really appreciated it if someone can help me to take a look at this Hijackthis log below, also attached current cleaned MBAM log and Combofix log showing names of virus files, thank you very much.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:20:56 AM, on 6/30/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exeC:\Program Files\Canon\BJCard\Bjmcmng.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\Program Files\Norton Save and Restore\Agent\VProSvc.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\BCMSMMSG.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXEC:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton Save and Restore\Agent\NSRTray.exeC:\Program Files\Dell Support Center\bin\sprtcmd.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\WINDOWS\explorer.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.turbotax.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...81/mcinsctl.cabO16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public1.uploader.officelive.com/_la...eX/MsnPUpld.cabO16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exeO23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exeO23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEO23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe--End of file - 11265 bytesmbam.txtComboFix.txtmbam.txtComboFix.txt Link to post Share on other sites More sharing options...
negster22 Posted June 30, 2009 ID:94601 Share Posted June 30, 2009 Please do NOT attach logs unless requested to do so.Do not run Combofix unless you are instructed to do so by a qualified malware removal advisor.Malwarebytes' Anti-Malware 1.38Database version: 2343Windows 5.1.2600 Service Pack 26/30/2009 12:17:56 AMmbam-log-2009-06-30 (00-17-56).txtScan type: Quick ScanObjects scanned: 110593Time elapsed: 6 minute(s), 24 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Folder::c:\documents and settings\All Users\Application Data\13219534c:\documents and settings\All Users\Application Data\93229526:\documents and settings\All Users\Application Data\132195342009-06-22 14:36 . 2009-06-22 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\93229526ComboFix 09-06-29.04 - Administrator 06/29/2009 23:49.1 - NTFSx86 NETWORKMicrosoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1270 [GMT -7:00]Running from: E:\Combo-Fix.exeAV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\temp\0c2c:\temp\0c2\tmpFF.logc:\temp\1cbc:\temp\brrc:\temp\fsec:\windows\system32\drivers\fad.sysc:\windows\system32\gjllm.inic:\windows\system32\mdm.exec:\windows\system32\quxyenky.inic:\windows\system32\SKYNETefqorivw.datc:\windows\system32\SKYNETlndsdtoy.datc:\windows\system32\tempchkc:\windows\system32\ucojyonn.inic:\windows\system32\V1c:\windows\system32\winc:\windows\system32\X1c:\windows\system32\X11c:\windows\system32\X3c:\windows\system32\X7c:\windows\system32\Z1.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_DOMAINSERVICE-------\Service_SKYNETxouvxwqo((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 ))))))))))))))))))))))))))))))).2009-06-30 01:54 . 2009-06-30 01:54 -------- d-----w- c:\documents and settings\guest 1\Local Settings\Application Data\SupportSoft2009-06-28 00:04 . 2009-06-28 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\Malwarebytes2009-06-26 04:24 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-06-26 04:24 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys2009-06-22 14:36 . 2009-06-22 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\132195342009-06-22 14:36 . 2009-06-22 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\93229526.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-27 06:22 . 2008-03-07 02:21 -------- d-----w- c:\program files\Folder Lock2009-06-27 03:36 . 2004-01-24 04:03 -------- d-----w- c:\program files\Lavasoft2009-06-27 03:36 . 2005-02-02 02:51 -------- d-----w- c:\documents and settings\Ted\Application Data\Lavasoft2009-06-24 07:51 . 2008-10-28 06:10 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-06-24 07:49 . 2007-08-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-06-24 07:02 . 2007-05-03 01:46 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-06-24 06:27 . 2008-12-13 10:08 -------- d-----w- c:\program files\McAfee2009-06-24 05:59 . 2006-03-01 01:47 -------- d-----w- c:\documents and settings\Ted\Application Data\uTorrent2009-06-21 17:56 . 2006-12-11 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\U32009-06-21 17:49 . 2009-05-28 04:40 -------- d-----w- c:\documents and settings\Ted\Application Data\WinFF2009-05-28 04:40 . 2009-05-28 04:40 -------- d-----w- c:\program files\WinFF2009-05-23 04:34 . 2008-12-13 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore2009-05-07 15:44 . 2008-08-05 00:43 344064 ----a-w- c:\windows\system32\localspl.dll2009-04-29 04:31 . 2004-12-08 00:37 668160 ----a-w- c:\windows\system32\wininet.dll2009-04-29 04:31 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll2009-04-17 09:58 . 2008-08-05 00:43 1846656 ----a-w- c:\windows\system32\win32k.sys2009-04-15 15:11 . 2004-12-04 04:50 584192 ----a-w- c:\windows\system32\rpcrt4.dll2006-01-05 07:52 . 2006-01-05 07:52 774144 ----a-w- c:\program files\RngInterstitial.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-09-29 385024]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-03 52896]"Norton Save and Restore"="c:\program files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-12 1582744]"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-01 180269]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnkbackup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=c:\windows\pss\Microsoft Office.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnkbackup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Ted^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]path=c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exebackup=c:\windows\pss\PowerReg Scheduler V3.exeStartup[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="c:\\Program Files\\PPLive\\PPLive.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Documents and Settings\\Ted\\Desktop\\DeskMisc\\utorrent.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R0 HFXP2;HFXP2;c:\windows\SYSTEM32\DRIVERS\hfxp2.sys [10/12/2004 2:24 PM 11392][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1efb12b7-cd88-11dd-96d8-000bdbc1e9ec}]\Shell\AutoRun\command - E:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1efb12c4-cd88-11dd-96d8-000bdbc1e9ec}]\Shell\AutoRun\command - E:\WDSetup.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5927c2a0-81db-11db-9661-000bdbc1e9ec}]\Shell\AutoRun\command - E:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84c7dfb4-19a7-11dd-96b2-000bdbc1e9ec}]\Shell\AutoRun\command - E:\InstallTomTomHOME.exe.Contents of the 'Scheduled Tasks' folder2009-06-15 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53]2009-06-01 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53].- - - - ORPHANS REMOVED - - - -BHO-{46617004-54D9-4720-97C9-4C3E23EA43AB} - c:\windows\system32\mlljg.dllBHO-{6A501315-7ED9-424F-9714-0D92FDB8C90F} - c:\windows\system32\jkkli.dllBHO-{97039C41-FBA1-45C8-B539-DB8730D5FB87} - c:\windows\system32\awvtr.dllBHO-{9C2AC464-E172-4A8F-9028-C5A523E8B754} - c:\windows\system32\awvtr.dllBHO-{A0892BA6-AF26-4DFC-8820-2C6CD669F62E} - c:\windows\system32\awvtr.dllBHO-{F202E26F-87FB-409B-9AAC-5ABDB2CD10C2} - c:\windows\system32\geedd.dllNotify-dimsntfy - (no file).------- Supplementary Scan -------.mStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.dell.com/uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlIE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlIE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlIE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlTrusted Zone: hotmail.com\wwwTrusted Zone: live.comTrusted Zone: live.com\loginTrusted Zone: live.com\mailTrusted Zone: microsoft.com\wwwTrusted Zone: msn.com\wwwTrusted Zone: turbotax.comTrusted Zone: yahoo.com\wwwDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - hxxp://public1.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cabFF - ProfilePath - c:\documents and settings\Ted\Application Data\Mozilla\Firefox\Profiles\wpoc7pwc.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/|http://forums.slickdeals.net/forumdisplay.php?f=9|http://www.yahoo.com/FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-29 23:58Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3148)c:\progra~1\VERIZO~1\SMARTB~1\SBHook.dllc:\program files\McAfee\SiteAdvisor\saHook.dllc:\progra~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\Symantec Shared\ccEvtMgr.exec:\program files\Common Files\Symantec Shared\ccSetMgr.exec:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exec:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exec:\program files\Canon\BJCard\Bjmcmng.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\McAfee\SiteAdvisor\McSACore.exec:\program files\Norton Save and Restore\Agent\VProSvc.exec:\program files\Dell Support Center\bin\sprtsvc.exec:\windows\SYSTEM32\wscntfy.exec:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEc:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exec:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exec:\progra~1\McAfee\VIRUSS~1\mcsysmon.exec:\progra~1\McAfee\VIRUSS~1\Mcshield.exec:\program files\McAfee\MPF\MpfSrv.exe.**************************************************************************.Completion time: 2009-06-30 0:05 - machine was rebooted [Ted]ComboFix-quarantined-files.txt 2009-06-30 07:05Pre-Run: 9,834,319,872 bytes freePost-Run: 8,967,229,440 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn236 --- E O F --- 2009-06-30 00:30=================== Link to post Share on other sites More sharing options...
negster22 Posted June 30, 2009 ID:94602 Share Posted June 30, 2009 First, disable Spybot's TeaTimer or be reversed. This is a two step process. First: - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol) - Choose Exit Spybot S&D Resident Second: - Open Spybot S&D - Click Mode, check Advanced Mode - Go To Left Panel, Click Tools, then also in left panel, click Resident Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.We have some more folders to clean up that we will manually specify for deletion by using a Combofix script.It is important that you follow the next set of instructions precisely.Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled). Copy/paste the text in the code box below into Notepad.KillAll:: Folder::c:\documents and settings\All Users\Application Data\13219534c:\documents and settings\All Users\Application Data\93229526c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exec:\windows\pss\PowerReg Scheduler V3.exeStartupSave this to your desktop as CFScript.txt by selecting File -> Save as.Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! This includes McAfee and Spybot Teatime.Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdsk or any scanners. Then re-enable after you get the new Combofix report.Referring to the picture above, drag CFScript.txt into ComboFix.exe This will cause ComboFix to run again.Please post back the log that opens when it finishes. Link to post Share on other sites More sharing options...
thl777 Posted June 30, 2009 Author ID:94627 Share Posted June 30, 2009 First, disable Spybot's TeaTimer or be reversed. This is a two step process. First: - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol) - Choose Exit Spybot S&D Resident Second: - Open Spybot S&D - Click Mode, check Advanced Mode - Go To Left Panel, Click Tools, then also in left panel, click Resident Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.We have some more folders to clean up that we will manually specify for deletion by using a Combofix script.It is important that you follow the next set of instructions precisely.Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled). Copy/paste the text in the code box below into Notepad.KillAll::Folder::c:\documents and settings\All Users\Application Data\13219534c:\documents and settings\All Users\Application Data\93229526c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exec:\windows\pss\PowerReg Scheduler V3.exeStartupSave this to your desktop as CFScript.txt by selecting File -> Save as.Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! This includes McAfee and Spybot Teatime.Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdsk or any scanners. Then re-enable after you get the new Combofix report.Referring to the picture above, drag CFScript.txt into ComboFix.exe This will cause ComboFix to run again.Please post back the log that opens when it finishes.Thank you for your help, just one question before I go ahead with your instructions above. Do I need to do this in safe mode? Link to post Share on other sites More sharing options...
negster22 Posted June 30, 2009 ID:94630 Share Posted June 30, 2009 You shouldn't have to run in safe mode if all your active protection is really disabled.If you have problems running in normal mode, then you can try running Combofix in safe mode. Link to post Share on other sites More sharing options...
thl777 Posted July 1, 2009 Author ID:94678 Share Posted July 1, 2009 You shouldn't have to run in safe mode if all your active protection is really disabled.If you have problems running in normal mode, then you can try running Combofix in safe mode.Ok, just ran ComboFix using your instructions and script above, here's the CF log when finished, please review. Thanks again.ComboFix_630.txtComboFix_630.txt Link to post Share on other sites More sharing options...
negster22 Posted July 1, 2009 ID:94695 Share Posted July 1, 2009 Please do NOT attach logs unless requested to do so.Wanted C/P the log please. Link to post Share on other sites More sharing options...
thl777 Posted July 1, 2009 Author ID:94718 Share Posted July 1, 2009 Wanted C/P the log please.Sorry, here's the C/P of the ComboFix log:ComboFix 09-06-29.04 - Ted 06/30/2009 18:19.2 - NTFSx86Running from: c:\documents and settings\Ted\Desktop\Combo-Fix.exeCommand switches used :: c:\documents and settings\Ted\Desktop\CFScript.txt.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\13219534c:\documents and settings\All Users\Application Data\13219534\13219534.gluc:\documents and settings\All Users\Application Data\93229526.((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 ))))))))))))))))))))))))))))))).2009-06-30 07:20 . 2009-06-30 07:20 -------- d-----w- c:\program files\Trend Micro2009-06-30 01:54 . 2009-06-30 01:54 -------- d-----w- c:\documents and settings\guest 1\Local Settings\Application Data\SupportSoft2009-06-28 00:04 . 2009-06-28 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\Malwarebytes2009-06-26 04:24 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-06-26 04:24 . 2009-06-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-06-26 04:24 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-27 06:22 . 2008-03-07 02:21 -------- d-----w- c:\program files\Folder Lock2009-06-27 03:36 . 2004-01-24 04:03 -------- d-----w- c:\program files\Lavasoft2009-06-27 03:36 . 2005-02-02 02:51 -------- d-----w- c:\documents and settings\Ted\Application Data\Lavasoft2009-06-24 07:51 . 2008-10-28 06:10 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-06-24 07:49 . 2007-08-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-06-24 07:02 . 2007-05-03 01:46 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-06-24 06:27 . 2008-12-13 10:08 -------- d-----w- c:\program files\McAfee2009-06-24 05:59 . 2006-03-01 01:47 -------- d-----w- c:\documents and settings\Ted\Application Data\uTorrent2009-06-21 17:56 . 2006-12-11 04:24 -------- d-----w- c:\documents and settings\Ted\Application Data\U32009-06-21 17:49 . 2009-05-28 04:40 -------- d-----w- c:\documents and settings\Ted\Application Data\WinFF2009-05-28 04:40 . 2009-05-28 04:40 -------- d-----w- c:\program files\WinFF2009-05-23 04:34 . 2008-12-13 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore2009-05-07 15:44 . 2008-08-05 00:43 344064 ----a-w- c:\windows\system32\localspl.dll2009-04-29 04:31 . 2004-12-08 00:37 668160 ----a-w- c:\windows\system32\wininet.dll2009-04-29 04:31 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll2009-04-17 09:58 . 2008-08-05 00:43 1846656 ----a-w- c:\windows\system32\win32k.sys2009-04-15 15:11 . 2004-12-04 04:50 584192 ----a-w- c:\windows\system32\rpcrt4.dll2006-01-05 07:52 . 2006-01-05 07:52 774144 ----a-w- c:\program files\RngInterstitial.dll.((((((((((((((((((((((((((((( SnapShot@2009-06-30_06.59.25 ))))))))))))))))))))))))))))))))))))))))).+ 2009-07-01 01:28 . 2009-07-01 01:28 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat+ 2009-07-01 01:28 . 2009-07-01 01:28 16384 c:\windows\temp\Perflib_Perfdata_674.dat+ 2002-09-03 08:08 . 2009-06-30 19:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT- 2002-09-03 08:08 . 2009-06-29 19:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT+ 2002-09-03 08:08 . 2009-06-30 19:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT- 2002-09-03 08:08 . 2009-06-29 19:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT+ 2002-09-03 08:08 . 2009-06-30 19:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT- 2002-09-03 08:08 . 2009-06-29 19:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-09-29 385024]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-03 52896]"Norton Save and Restore"="c:\program files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-12 1582744]"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-01 180269]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] [bU][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnkbackup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnkbackup=c:\windows\pss\Microsoft Office.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnkbackup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Ted^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]path=c:\documents and settings\Ted\Start Menu\Programs\Startup\PowerReg Scheduler V3.exebackup=c:\windows\pss\PowerReg Scheduler V3.exeStartup[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="c:\\Program Files\\PPLive\\PPLive.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Documents and Settings\\Ted\\Desktop\\DeskMisc\\utorrent.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=S0 HFXP2;HFXP2;c:\windows\SYSTEM32\DRIVERS\HFXP2.SYS [2004-10-12 11392]S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]S2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2006-04-12 2111128].Contents of the 'Scheduled Tasks' folder2009-06-15 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53]2009-06-01 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-13 18:53].- - - - ORPHANS REMOVED - - - -BHO-{46617004-54D9-4720-97C9-4C3E23EA43AB} - (no file)BHO-{6A501315-7ED9-424F-9714-0D92FDB8C90F} - (no file)BHO-{97039C41-FBA1-45C8-B539-DB8730D5FB87} - (no file)BHO-{9C2AC464-E172-4A8F-9028-C5A523E8B754} - (no file)BHO-{A0892BA6-AF26-4DFC-8820-2C6CD669F62E} - (no file)BHO-{F202E26F-87FB-409B-9AAC-5ABDB2CD10C2} - (no file).------- Supplementary Scan -------.mStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.dell.com/uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlIE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlIE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlIE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlTrusted Zone: hotmail.com\wwwTrusted Zone: live.comTrusted Zone: live.com\loginTrusted Zone: live.com\mailTrusted Zone: microsoft.com\wwwTrusted Zone: msn.com\wwwTrusted Zone: turbotax.comTrusted Zone: yahoo.com\wwwDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} - hxxp://public1.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cabFF - ProfilePath - c:\documents and settings\Ted\Application Data\Mozilla\Firefox\Profiles\wpoc7pwc.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.fatwallet.com/forums/hot-deals/|http://forums.slickdeals.net/forumdisplay.php?f=9|http://www.yahoo.com/FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-30 18:30Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(2480)c:\progra~1\VERIZO~1\SMARTB~1\SBHook.dllc:\program files\McAfee\SiteAdvisor\saHook.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\Symantec Shared\ccEvtMgr.exec:\program files\Common Files\Symantec Shared\ccSetMgr.exec:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exec:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exec:\program files\Canon\BJCard\Bjmcmng.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\Dell Support Center\bin\sprtsvc.exec:\windows\SYSTEM32\wscntfy.exec:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEc:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exec:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exec:\progra~1\McAfee\VIRUSS~1\Mcshield.exec:\program files\McAfee\MPF\MpfSrv.exe.**************************************************************************.Completion time: 2009-07-01 18:38 - machine was rebootedComboFix-quarantined-files.txt 2009-07-01 01:38ComboFix2.txt 2009-06-30 07:05Pre-Run: 8,967,499,776 bytes freePost-Run: 8,951,963,648 bytes free202 --- E O F --- 2009-06-30 00:30 Link to post Share on other sites More sharing options...
negster22 Posted July 1, 2009 ID:94954 Share Posted July 1, 2009 Good job!No trace of SKYNET.Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:http://www.eset.com/onlinescan/index.phpESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.Check the "Yes, I accept the terms of use" box.Click "Start"Check the boxes the following two boxes:enable "Remove found threats"Scan unwanted applications[*]Click the Scan button to begin scanning.[*]When the scan is done the log is automatically saved. To retrieve itClose the ESET scan Window.Now open a run line by clicking Start >> Run...Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:The Scan results will now display in Notepad[*]Please copy and paste the ESET scan report that can be found in this locationC:\Program Files\EsetOnlineScanner\log.txt into your next replyNote to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking. Link to post Share on other sites More sharing options...
thl777 Posted July 1, 2009 Author ID:94958 Share Posted July 1, 2009 Good job!No trace of SKYNET.Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:http://www.eset.com/onlinescan/index.phpESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.Check the "Yes, I accept the terms of use" box.Click "Start"Check the boxes the following two boxes:enable "Remove found threats"Scan unwanted applications[*]Click the Scan button to begin scanning.[*]When the scan is done the log is automatically saved. To retrieve itClose the ESET scan Window.Now open a run line by clicking Start >> Run...Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:The Scan results will now display in Notepad[*]Please copy and paste the ESET scan report that can be found in this locationC:\Program Files\EsetOnlineScanner\log.txt into your next replyNote to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.So I have to use Internet Explorer to do the ESET scan, FireFox won't work? The reason is because my IE browser was hijacked several years ago and was totally damaged somehow and I had switched over to Firefox ever since, I don't think it work anymore. Last time I tried to upgrade to IE7 I got a bunch of errors when I attempt to install it. Are there other options I can go from here (other online scanners) ? If not, I will have to try and download IE7 again and go from there, thanks again for all your help. Link to post Share on other sites More sharing options...
negster22 Posted July 1, 2009 ID:94960 Share Posted July 1, 2009 Then you can't download windows updates if you cannot use IE which will make you very vulnerable.You must try to fix that.In the meantime - As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer. 1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet. 2. Next, please reboot your computer in Safe Mode by doing the following:Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, an Advanced Options Menu should appearSelect the first option, to run Windows in Safe Mode. 3. Double-click on randomly named EXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear. 4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it". 5. Once the short scan has finished, Click Options --> Change settings 6. Choose the "Scan tab" and UNcheck "Heuristic analysis" 7. Back at the main window, click "Complete Scan" 8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start. 9. When done, a message will be displayed at the bottom advising if any threats were found. 10. Click "Yes to all" if it asks if you want to cure/move the file. 11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) 12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report. 13. Save the DrWeb.csv report to your desktop. 14. Exit Dr.Web Cureit when done. 15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot. 16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad).In your next reply, please include the following:Dr.Web Log Link to post Share on other sites More sharing options...
thl777 Posted July 2, 2009 Author ID:95059 Share Posted July 2, 2009 Then you can't download windows updates if you cannot use IE which will make you very vulnerable.You must try to fix that.In the meantime - As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer. 1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet. 2. Next, please reboot your computer in Safe Mode by doing the following:Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, an Advanced Options Menu should appearSelect the first option, to run Windows in Safe Mode. 3. Double-click on randomly named EXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear. 4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it". 5. Once the short scan has finished, Click Options --> Change settings 6. Choose the "Scan tab" and UNcheck "Heuristic analysis" 7. Back at the main window, click "Complete Scan" 8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start. 9. When done, a message will be displayed at the bottom advising if any threats were found. 10. Click "Yes to all" if it asks if you want to cure/move the file. 11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) 12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report. 13. Save the DrWeb.csv report to your desktop. 14. Exit Dr.Web Cureit when done. 15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot. 16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad).In your next reply, please include the following:Dr.Web LogThanks for the advise regarding fixing the IE problem, actually I have been able to do regular Windows updates without any issues. I will try to reinstall/update to IE8 after fixing this virus problem. Here's the log of Dr. Web after the scan in safe mode, looks like there's a bunch of stuff hidden in system restore even though I already turn off the window system restore function. Please review, thanks.RegUBP2b-Ted.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;couponprinter.exe\data012;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs\couponprinter.exe;Adware.Coupons;;couponprinter.exe;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs;Container contains infected objects;Moved.;spywareblastersetup351.exe\data001;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs\spywareblastersetup351.exe;Trojan.Packed.149;;spywareblastersetup351.exe;C:\Documents and Settings\Ted\Desktop\Downloaded_ Programs;Archive contains infected objects;Moved.;NOD32.FiX.v1.9.exe;C:\New Programs\NOD32 v2.51.8 + Crack;Trojan.Click.17167;Deleted.;spywareblaster.exe;C:\Program Files\SpywareBlaster;Trojan.Packed.149;Deleted.;A0000015.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1;Trojan.StartPage.1505;Deleted.;A0000266.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.StartPage.1505;Deleted.;A0000267.exe\data012;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000267.exe;Adware.Coupons;;A0000267.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Container contains infected objects;Moved.;A0000268.exe\data001;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000268.exe;Trojan.Packed.149;;A0000268.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Archive contains infected objects;Moved.;A0000269.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.Click.17167;Deleted.;A0000270.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.Packed.149;Deleted.; Link to post Share on other sites More sharing options...
negster22 Posted July 2, 2009 ID:95243 Share Posted July 2, 2009 Hi thl777,I am glad you are able to get Windows Updates because that is very important from a security perspective.We'll purge the system restore data and then you will no longer get those detections.It looks as if DrWeb flagged a false positive - the SpywareBlaster's Installer We have a few steps to finish up now.If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:Delete the contents of the folder C:\ARKDelete the C:\ARK folderLet's remove Combofix and all its associated files including those in quarantine:Click start -> run, then copy and paste the following line into the Open box and click OK."%userprofile%\desktop\Combo-Fix.exe" /uThis will do the following:Uninstall Combofix and all its associated files and folders.It will flush your system restore points and create a new restore point.It will rehide your system files and foldersReset your system clockHere are some additional measures you should take to keep your system in good working order and ensure your continued security.1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it.2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. Happy Surfing! Link to post Share on other sites More sharing options...
thl777 Posted July 3, 2009 Author ID:95345 Share Posted July 3, 2009 Hi thl777,I am glad you are able to get Windows Updates because that is very important from a security perspective.We'll purge the system restore data and then you will no longer get those detections.It looks as if DrWeb flagged a false positive - the SpywareBlaster's Installer We have a few steps to finish up now.If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:Delete the contents of the folder C:\ARKDelete the C:\ARK folderLet's remove Combofix and all its associated files including those in quarantine:Click start -> run, then copy and paste the following line into the Open box and click OK."%userprofile%\desktop\Combo-Fix.exe" /uThis will do the following:Uninstall Combofix and all its associated files and folders.It will flush your system restore points and create a new restore point.It will rehide your system files and foldersReset your system clockHere are some additional measures you should take to keep your system in good working order and ensure your continued security.1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. Note: If your firewall prompts you about access, allow it.2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment. Happy Surfing!Thank you very much for all your helps, I will follow your advice above and finish it up as soon as I can find some time tormorrow. I plugged back into the internet and so far everything seems to be normal, no more Google redirecting. One thing I just did was trying to update window with XP SP3 but ran into some problem. About 10 minutes into the installation I got an error message identified as "Service Pack 3 setup error", telling me that Service pack 3 setup could not backup registry key HKCR\RDS.DataControl.2.81 to file C;\windows\$NTService Pack uninstall$\reg00801. 5:Access is denied. Gave me options to retry, or ignore. Retry didn't work so I click ignore, it went on for another 5 minutes and then a second error message saying "Access is denied" and forced me to quit the installation. I had Mcafee turned off and also Spybot Teatimer turned off, not sure why its having problem, any idea what may have caused this? Thanks. Link to post Share on other sites More sharing options...
negster22 Posted July 3, 2009 ID:95409 Share Posted July 3, 2009 See if this helps with the SP3 install error:http://www.winhelponline.com/blog/reset-th...-in-windows-xp/There is way to download the standalone SP3 installer and then add the Windows Installer service to the safeboot keys so the install can be done in safe mode with no interference. Link to post Share on other sites More sharing options...
thl777 Posted July 4, 2009 Author ID:95643 Share Posted July 4, 2009 See if this helps with the SP3 install error:http://www.winhelponline.com/blog/reset-th...-in-windows-xp/There is way to download the standalone SP3 installer and then add the Windows Installer service to the safeboot keys so the install can be done in safe mode with no interference.Ok, I will take a look at that, again, thank you so much for your helps. Link to post Share on other sites More sharing options...
Recommended Posts