Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Emproxy.exe? [CLOSED]


  • This topic is locked This topic is locked

#1
ShadowTracer

ShadowTracer

    New Member

  • Member
  • Pip
  • 8 posts
I have tried all of the first steps and have no luck, most of them won't even run. I have no idea if it is a virus, but Task Manager indicates emproxy.exe is using all of my memory, connection problems, applications won't run...it's taken me 1/2 hr to just post this! This is the McAfee error message that I continuosly receive :One or more e-mail messages cannot be sent.


Details

View the log


After you view the log, McAfee recommends that you resend those messages from your e-mail program.

Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:35 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [546d0df0] rundll32.exe "C:\WINDOWS\system32\omiixeip.dll",b
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [BM575e3e6c] Rundll32.exe "C:\WINDOWS\system32\pyuxqekm.dll",s
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [herjek] C:\WINDOWS\herjek.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.myfreepaysite.com
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yah...m/YbConvFav.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3643BA45-32F5-47F6-9079-5A24E76D8575}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{C451A5EE-763D-4D51-9729-2B21BE7C2A12}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1DAF639-9CB3-40B9-B6A7-E103D5200025}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

--
End of file - 6086 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#3
ShadowTracer

ShadowTracer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
miekiemoes,

Thank you for your quick help. I have posted the two logs as requested.


SDFix: Version 1.182
Run by Owner on Wed 05/14/2008 at 06:05 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\jfiehayd.dll - Deleted
C:\WINDOWS\system32\kdouc.exe - Deleted
C:\971.TMP - Deleted
C:\972.TMP - Deleted
C:\973.TMP - Deleted
C:\974.TMP - Deleted
C:\141643~1 - Deleted
C:\Documents and Settings\Owner\cftmon.exe - Deleted
C:\WINDOWS\system32\found.exe.exe - Deleted
C:\d.exe - Deleted
C:\WINDOWS\iexplore.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\system32\pjsapdg.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 06:20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe"="C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe:*:Disabled:SpamSubtract Main Module"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Program Files\\Paltalk Messenger\\paltalk7.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk7.exe:*:Enabled:Paltalk Messenger 7.0"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk Messenger 8.1"
"C:\\WINDOWS\\system32\\msv32ie.exe"="C:\\WINDOWS\\system32\\msv32ie.exe:*:Enabled:msv32ie"
"C:\\Program Files\\Comcast Video Mail\\Comcast_Video_Mail.exe"="C:\\Program Files\\Comcast Video Mail\\Comcast_Video_Mail.exe:*:Enabled:Comcast_Video_Mail.exe"
"C:\\Program Files\\Skyline Network\\SkylinemIRCv2.01\\mirc.exe"="C:\\Program Files\\Skyline Network\\SkylinemIRCv2.01\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\herjek.exe"="C:\\WINDOWS\\herjek.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 15 Nov 2004 196 A.SHR --- "C:\BOOT.BAK"
Sat 1 Sep 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 31 Dec 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 26 Mar 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 20 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Thu 6 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT11.tmp"
Sat 26 Mar 2005 4,348 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Tue 29 Nov 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 12 Jun 2005 488 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:10 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\herjek.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [546d0df0] rundll32.exe "C:\WINDOWS\system32\fjfruotq.dll",b
O4 - HKLM\..\Run: [BM575e3e6c] Rundll32.exe "C:\WINDOWS\system32\cglqnujx.dll",s
O4 - HKCU\..\Run: [herjek] C:\WINDOWS\herjek.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.myfreepaysite.com
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yah...m/YbConvFav.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3643BA45-32F5-47F6-9079-5A24E76D8575}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{C451A5EE-763D-4D51-9729-2B21BE7C2A12}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1DAF639-9CB3-40B9-B6A7-E103D5200025}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 5055 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please follow the next steps in the right order...

* Please download FixwareOut from the following site:
http://download.blee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads, a log will open. I need that log afterwards.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
ShadowTracer

ShadowTracer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Here is the report from Fixwareout. I also left clicked on the fdnsbk file to improve my inernt connection speed. I will post another reply once I have finished th next step.

Username "Owner" - 05/15/2008 13:21:32 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.51 85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3643BA45-32F5-47F6-9079-5A24E76D8575}
"nameserver"="85.255.116.51,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C451A5EE-763D-4D51-9729-2B21BE7C2A12}
"nameserver"="85.255.116.51,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F1DAF639-9CB3-40B9-B6A7-E103D5200025}
"nameserver"="85.255.116.51,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{15B491F3-BBD4-4761-AFEF-EE6377DB735E}
"DhcpNameServer"="85.255.116.51,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3643BA45-32F5-47F6-9079-5A24E76D8575}
"DhcpNameServer"="85.255.116.51,85.255.112.104" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C451A5EE-763D-4D51-9729-2B21BE7C2A12}
"DhcpNameServer"="85.255.116.51,85.255.112.104" <Value cleared.

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"546d0df0"="rundll32.exe \"C:\\WINDOWS\\system32\\jswyuvyl.dll\",b"
"BM575e3e6c"="Rundll32.exe \"C:\\WINDOWS\\system32\\cglqnujx.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"herjek"="C:\\WINDOWS\\herjek.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok, I read the next log afterwards :)

It could be possible that you have to temporary uninstall McAfee - since I've seen it interfering with Combofix after reboot in a lot of threads. Disabling McAfee won't help, since it activates itself anyway after reboot.
But we'll see first how it acts without the temporary uninstall first :)
  • 0

#7
ShadowTracer

ShadowTracer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

It seems to have fixed my problems and I want to thank you so much!!

ComboFix 08-05-12.1 - Owner 2008-05-15 15:13:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\YMBOLS~1
C:\Program Files\crosof~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\herjek.config
C:\WINDOWS\herjek.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXNHWNg.dll
C:\WINDOWS\system32\cglqnujx.dll
C:\WINDOWS\system32\dtsljwem.dll
C:\WINDOWS\system32\eqjidsma.dll
C:\WINDOWS\system32\gcljctyv.dll
C:\WINDOWS\system32\gNWHNXbc.ini
C:\WINDOWS\system32\gNWHNXbc.ini2
C:\WINDOWS\system32\grdipito.ini
C:\WINDOWS\system32\iodammxl.dll
C:\WINDOWS\system32\jswyuvyl.dll
C:\WINDOWS\system32\liogmqoe.dll
C:\WINDOWS\system32\ljJAPJCs.dll
C:\WINDOWS\system32\luvodinu.dll
C:\WINDOWS\system32\lyvuywsj.ini
C:\WINDOWS\system32\mouxndwm.dll
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\nweonice.dll
C:\WINDOWS\system32\nywmthop.dll
C:\WINDOWS\system32\okdemobs.ini
C:\WINDOWS\system32\omiixeip.dll
C:\WINDOWS\system32\otipidrg.dll
C:\WINDOWS\system32\piexiimo.ini
C:\WINDOWS\system32\pyuxqekm.dll
C:\WINDOWS\system32\qtourfjf.ini
C:\WINDOWS\system32\srgpuafq.dll
C:\WINDOWS\system32\vyvxdngq.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PJSAPDG
-------\Service_pjsapdg


((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 13:19 . 2008-05-15 13:27 <DIR> d-------- C:\fixwareout
2008-05-15 11:30 . 2008-05-15 11:30 2,112 --a------ C:\WINDOWS\system32\gujbyfeo.exe
2008-05-14 09:53 . 2008-05-14 09:53 2,992 --a------ C:\WINDOWS\system32\hdrihqxm.dll
2008-05-14 09:47 . 2008-05-14 09:47 2,112 --a------ C:\WINDOWS\system32\xkicjxnd.exe
2008-05-14 05:57 . 2008-05-14 05:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 05:44 . 2008-05-14 06:27 <DIR> d-------- C:\SDFix
2008-05-13 07:54 . 2008-05-13 07:54 2,112 --a------ C:\WINDOWS\system32\wqdkigbj.exe
2008-05-12 07:40 . 2008-05-12 07:40 2,112 --a------ C:\WINDOWS\system32\yhdjqwqy.exe
2008-05-11 03:24 . 2008-05-15 12:42 109,812 --a------ C:\WINDOWS\BM575e3e6c.xml
2008-05-11 03:24 . 2008-05-11 03:24 2,112 --a------ C:\WINDOWS\system32\ighoqrae.exe
2008-05-10 15:17 . 2008-05-10 15:17 54,784 --a------ C:\WINDOWS\system32\gh.l
2008-05-10 15:17 . 2008-05-10 15:17 32,768 --a------ C:\WINDOWS\system32\yl.po
2008-05-10 15:17 . 2008-05-10 15:17 28,672 --a------ C:\WINDOWS\system32\mn.n
2008-05-10 15:17 . 2008-05-10 15:17 28,672 --a------ C:\WINDOWS\system32\ccs.so
2008-05-10 15:17 . 2008-05-10 15:17 28,672 --a------ C:\WINDOWS\system32\bmf.cs
2008-05-10 15:16 . 2008-05-10 15:16 72,192 --a------ C:\WINDOWS\system32\ntpl.bin
2008-05-10 15:16 . 2008-05-10 15:16 72,192 --a------ C:\tdvkc.exe
2008-05-10 15:16 . 2008-05-10 15:16 69,632 --a------ C:\eultc.exe
2008-05-01 10:18 . 2008-05-01 10:18 <DIR> d--h----- C:\BJPrinter
2008-04-29 21:27 . 2008-04-29 21:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-04-29 21:24 . 2008-04-29 21:24 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-29 21:24 . 2007-09-04 08:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-27 16:20 . 2008-04-27 16:20 <DIR> d-------- C:\Program Files\uTorrent
2008-04-27 16:19 . 2008-05-10 15:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-25 09:48 . 2008-04-25 09:48 <DIR> d-------- C:\Program Files\FriendFinder
2008-04-23 18:09 . 2008-04-23 18:09 <DIR> d-------- C:\Program Files\eMusic Download Manager
2008-04-23 13:24 . 2008-04-23 13:24 <DIR> d-------- C:\Program Files\iPod
2008-04-23 13:24 . 2008-05-10 05:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-23 13:24 . 2008-04-23 13:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-23 13:23 . 2008-04-23 13:24 <DIR> d-------- C:\Program Files\iTunes
2008-04-23 13:22 . 2008-04-23 13:22 <DIR> d-------- C:\Program Files\QuickTime
2008-04-23 13:18 . 2008-04-23 13:18 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 13:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-08 04:07 --------- d-----w C:\Program Files\Blubster
2008-05-01 12:44 --------- d-----w C:\Program Files\Yahoo!
2008-04-23 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-21 23:26 --------- d-----w C:\Program Files\McAfee
2008-04-07 05:30 --------- d-----w C:\Program Files\isoHunt
2008-04-07 05:30 --------- d-----w C:\Program Files\Conduit
2008-03-31 04:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-18 23:29 --------- d-----w C:\Program Files\Java
2008-02-27 19:57 812,344 ----a-w C:\Program Files\seek.exe.exe
2005-09-03 01:13 6,860,424 ------w C:\Program Files\MicrosoftAntiSpywareInstall.exe
2005-09-02 01:51 1,416,944 ------w C:\Program Files\WM9Codecs.exe
2005-08-07 21:40 2,245,630 ------w C:\Program Files\GOF_boyfriend.wav
2005-08-07 01:00 10,958,640 ------w C:\Program Files\GoogleEarth.exe
2005-01-01 04:34 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Comcast Video Mail\\Comcast_Video_Mail.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Blubster\\Blubster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 21:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-15 09:46:46 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 09:00:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-05-09 23:13:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 15:24:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-15 15:28:51 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-15 23:28:08

Pre-Run: 179,130,171,392 bytes free
Post-Run: 179,105,058,816 bytes free

178 --- E O F --- 2008-05-02 06:03:46

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:08 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.myfreepaysite.com
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yah...m/YbConvFav.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3643BA45-32F5-47F6-9079-5A24E76D8575}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{C451A5EE-763D-4D51-9729-2B21BE7C2A12}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1DAF639-9CB3-40B9-B6A7-E103D5200025}: NameServer = 85.255.116.51,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.104
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 5341 bytes
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

It seems to have fixed my problems and I want to thank you so much!!

We are not finished yet...

And I guess you have misread the information about this:

I also left clicked on the fdnsbk file to improve my inernt connection speed

You were not supposed to do that! That is not supposed to improve your internet Connection speed. This file was ONLY there in case you had no Internet access afterwards, so it just replaced the malicious DNS entries again.

So, you have to run Fixwareout once again and DON'T click on the fdnsbk.reg file afterwards!!

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\gujbyfeo.exe
C:\WINDOWS\system32\hdrihqxm.dll
C:\WINDOWS\system32\xkicjxnd.exe
C:\WINDOWS\system32\wqdkigbj.exe
C:\WINDOWS\system32\yhdjqwqy.exe
C:\WINDOWS\BM575e3e6c.xml
C:\WINDOWS\system32\ighoqrae.exe
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\yl.po
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ntpl.bin
C:\tdvkc.exe
C:\eultc.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Program Files\seek.exe.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.
  • 0

#9
ShadowTracer

ShadowTracer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

My apologies for not having followed instructions correctly (My face is red with embarrassment.)

ComboFix 08-05-12.1 - Owner 2008-05-15 16:25:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.180 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\eultc.exe
C:\tdvkc.exe
C:\WINDOWS\BM575e3e6c.xml
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\gujbyfeo.exe
C:\WINDOWS\system32\hdrihqxm.dll
C:\WINDOWS\system32\ighoqrae.exe
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\wqdkigbj.exe
C:\WINDOWS\system32\xkicjxnd.exe
C:\WINDOWS\system32\yhdjqwqy.exe
C:\WINDOWS\system32\yl.po
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\eultc.exe
C:\tdvkc.exe
C:\WINDOWS\BM575e3e6c.xml
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\gujbyfeo.exe
C:\WINDOWS\system32\hdrihqxm.dll
C:\WINDOWS\system32\ighoqrae.exe
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\wqdkigbj.exe
C:\WINDOWS\system32\xkicjxnd.exe
C:\WINDOWS\system32\yhdjqwqy.exe
C:\WINDOWS\system32\yl.po

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-15 13:19 . 2008-05-15 16:17 <DIR> d-------- C:\fixwareout
2008-05-14 05:57 . 2008-05-14 05:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 05:44 . 2008-05-14 06:27 <DIR> d-------- C:\SDFix
2008-05-01 10:18 . 2008-05-01 10:18 <DIR> d--h----- C:\BJPrinter
2008-04-29 21:27 . 2008-04-29 21:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-04-29 21:24 . 2008-04-29 21:24 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-29 21:24 . 2007-09-04 08:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-27 16:20 . 2008-04-27 16:20 <DIR> d-------- C:\Program Files\uTorrent
2008-04-27 16:19 . 2008-05-10 15:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-25 09:48 . 2008-04-25 09:48 <DIR> d-------- C:\Program Files\FriendFinder
2008-04-23 18:09 . 2008-04-23 18:09 <DIR> d-------- C:\Program Files\eMusic Download Manager
2008-04-23 13:24 . 2008-04-23 13:24 <DIR> d-------- C:\Program Files\iPod
2008-04-23 13:24 . 2008-05-10 05:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-23 13:24 . 2008-04-23 13:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-23 13:23 . 2008-04-23 13:24 <DIR> d-------- C:\Program Files\iTunes
2008-04-23 13:22 . 2008-04-23 13:22 <DIR> d-------- C:\Program Files\QuickTime
2008-04-23 13:18 . 2008-04-23 13:18 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 23:17 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2008-05-10 13:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-08 04:07 --------- d-----w C:\Program Files\Blubster
2008-05-01 12:44 --------- d-----w C:\Program Files\Yahoo!
2008-04-23 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-21 23:26 --------- d-----w C:\Program Files\McAfee
2008-04-07 05:30 --------- d-----w C:\Program Files\isoHunt
2008-04-07 05:30 --------- d-----w C:\Program Files\Conduit
2008-03-31 04:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 23:29 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 19:57 812,344 ----a-w C:\Program Files\seek.exe.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2005-09-03 01:13 6,860,424 ------w C:\Program Files\MicrosoftAntiSpywareInstall.exe
2005-09-02 01:51 1,416,944 ------w C:\Program Files\WM9Codecs.exe
2005-08-07 21:40 2,245,630 ------w C:\Program Files\GOF_boyfriend.wav
2005-08-07 01:00 10,958,640 ------w C:\Program Files\GoogleEarth.exe
2005-01-01 04:34 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( [email protected]_15.27.54.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 23:22:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 00:16:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Comcast Video Mail\\Comcast_Video_Mail.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Blubster\\Blubster.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 21:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-15 09:46:46 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 09:00:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-05-09 23:13:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 16:28:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-15 16:29:37
ComboFix-quarantined-files.txt 2008-05-16 00:29:22
ComboFix2.txt 2008-05-15 23:28:52

Pre-Run: 179,089,043,456 bytes free
Post-Run: 179,077,029,888 bytes free

151 --- E O F --- 2008-05-02 06:03:46

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:41 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.myfreepaysite.com
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://bookmarks.yah...m/YbConvFav.CAB
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 4676 bytes

File size: 812344 bytes
MD5...: ab1c4deab684b0d883cfaa82c7bc6d19
SHA1..: 2cff1effdd174e7e2dcc24f93a17f782d40380e3
SHA256: 132280692b44037d2205281a490525ac1ecba5499087dec2506d5eca07851b35
SHA512: 9f96a10e199c618da16ddd2215649a13a5256505e54b6cd90de8d8c583341d78
c432aca4a264e9c10f326fa32153ee9ab394a21c5c5d268d9b3350c0518d8bc5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41fac9
timedatestamp.....: 0x46683992 (Thu Jun 07 17:00:02 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x33b9c 0x34000 6.65 934f033e2f25f169d5149fe6dd4be1dc
.rdata 0x35000 0xc702 0xd000 4.89 a685f91ae70d9934e9dcea4f91e45e2f
.data 0x42000 0x64bc 0x3000 3.81 b26ce04da6ae22e8abe8f3a281d18dc2
.rsrc 0x49000 0x7f6b8 0x80000 6.88 431c5e8ecf9e0bb29fd2780b22a5b01b

( 12 imports )
> KERNEL32.dll: GetFileAttributesA, GetFileTime, GetTickCount, RtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetCommandLineA, GetProcessHeap, GetStartupInfoA, ExitProcess, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, GetACP, GetConsoleCP, GetConsoleMode, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, FileTimeToLocalFileTime, SetErrorMode, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, WritePrivateProfileStringA, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, GetModuleFileNameW, FormatMessageA, LocalFree, MulDiv, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, SetLastError, GlobalAddAtomA, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, GlobalLock, lstrcmpA, GlobalAlloc, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, GetProcAddress, lstrlenA, CompareStringW, CompareStringA, GetVersion, GetLastError, InterlockedExchange, lstrcatA, MultiByteToWideChar, LoadLibraryA, CreateDirectoryA, WideCharToMultiByte, FindResourceA, LoadResource, LockResource, VirtualFree, SizeofResource
> USER32.dll: RegisterClipboardFormatA, PostThreadMessageA, CharNextA, GetSysColorBrush, ReleaseCapture, LoadCursorA, SetCapture, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, EqualRect, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, UnhookWindowsHookEx, GetMenuItemID, DrawIcon, SendMessageA, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetMenuItemCount, GetSubMenu, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, DestroyMenu, UnregisterClassA, MessageBeep, GetNextDlgGroupItem, GetNextDlgTabItem, EndDialog, InvalidateRgn, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, GetSystemMetrics, CharUpperA, PostQuitMessage, PostMessageA, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, SetCursor, MessageBoxA, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetWindowThreadProcessId, IsChild
> GDI32.dll: ExtSelectClipRgn, DeleteDC, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, CreateBitmap, PtVisible, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDeviceCaps, RectVisible
> comdlg32.dll: GetFileTitleA
> WINSPOOL.DRV: DocumentPropertiesA, OpenPrinterA, ClosePrinter
> ADVAPI32.dll: RegQueryValueA, RegSetValueExA, RegCreateKeyExA, RegCloseKey, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA
> SHELL32.dll: SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, ShellExecuteA, SHGetPathFromIDListA
> COMCTL32.dll: -
> SHLWAPI.dll: PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
> oledlg.dll: -
> ole32.dll: OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoTaskMemAlloc, CoRevokeClassObject, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, CoInitialize, CoCreateInstance, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )

packers (F-Prot): UPX
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O15 - Trusted Zone: http://www.myfreepaysite.com <== check this if you didn't set it...
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

The log from Virustotal is incomplete. Can you rescan the file please and post the log again? Because I'm missing the top part where the scanners scan the file.
After they have scanned the file, click the "Compact" button on the top left, so it's easier for you to copy and paste. :)
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP