Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Firefox running - but I haven't installed it and I can't kill

Started by cupidringmybelle , Sep 06 2008 03:48 PM

  • This topic is locked This topic is locked

#31
cupidringmybelle
Posted 08 September 2008 - 10:59 AM

cupidringmybelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Okay, I'm going to send the combofix log, but a box didn't appear and it didn't start iexporer for me to send the file for analysis. what should I do?

Here's the combofix log:

ComboFix 08-09-05.09 - Owner 2008-09-08 11:39:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.237 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\ptunzybl
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\profiles.ini
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\cert8.db
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\compatibility.ini
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\compreg.dat
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\cookies.sqlite
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\key3.db
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\permissions.sqlite
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\places.sqlite
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\pluginreg.dat
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\prefs.js
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\secmod.db
C:\Documents and Settings\NetworkService\Application Data\ptunzybl\Profiles\t7gbmhbx.default\xpti.dat
C:\Documents and Settings\Owner\Application Data\ptunzybl
C:\Documents and Settings\Owner\Application Data\ptunzybl\profiles.ini
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\cert8.db
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\compatibility.ini
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\compreg.dat
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\cookies.sqlite
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\key3.db
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\parent.lock
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\permissions.sqlite
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\places.sqlite
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\pluginreg.dat
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\prefs.js
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\secmod.db
C:\Documents and Settings\Owner\Application Data\ptunzybl\Profiles\7fw58l3g.default\xpti.dat
C:\WINDOWS\system32\drivers\hfpvrdvl.sys
C:\WINDOWS\system32\tmwpkzn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HFPVRDVL
-------\Service_hfpvrdvl


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 11:35 . 2008-09-07 11:35 <DIR> d-------- C:\_OTMoveIt
2008-09-06 18:55 . 2008-09-06 18:56 <DIR> d-------- C:\rsit
2008-09-05 23:25 . 2008-09-05 23:26 <DIR> d-------- C:\Program Files\ERUNT
2008-09-05 13:33 . 2008-09-06 09:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ITTNord
2008-09-04 22:32 . 2008-09-04 22:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-09-04 22:32 . 2008-09-04 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-09-04 18:33 . 2008-09-04 18:33 2,855 --a------ C:\WINDOWS\system32\mem.PIF
2008-09-01 19:43 . 2008-09-01 19:43 2 --a------ C:\WINDOWS\msoffice.ini
2008-09-01 19:10 . 2008-09-01 19:17 2,808 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-01 18:12 . 2008-09-04 21:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 18:12 . 2008-09-01 18:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-01 18:12 . 2008-09-01 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 18:12 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-01 18:12 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-01 17:27 . 2008-04-08 20:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-01 15:45 . 2008-09-01 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-01 15:44 . 2008-09-01 19:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-31 19:15 . 2008-08-31 19:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-31 18:32 . 2008-08-31 18:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-08-23 16:52 . 2008-08-23 16:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
2008-08-23 09:33 . 2008-09-08 11:49 20,565 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-23 09:32 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-08-23 09:29 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-23 09:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-23 09:29 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-23 09:29 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-23 09:29 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-23 09:29 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-23 09:27 . 2008-08-23 09:28 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-23 09:27 . 2008-09-05 07:29 <DIR> d-------- C:\Program Files\McAfee
2008-08-23 09:27 . 2008-08-23 09:29 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-23 09:19 . 2008-08-31 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-23 07:51 . 2008-08-23 07:51 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-08-21 09:32 . 2008-08-22 16:31 3,350 --a------ C:\WINDOWS\COSTAR.TMP
2008-08-20 21:15 . 2008-08-23 09:07 174 --a------ C:\Documents and Settings\All Users\Application Data\ustore.dat
2008-08-20 20:45 . 2008-08-20 20:45 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-20 20:45 . 2008-08-20 20:45 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-20 20:45 . 2008-08-20 20:45 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-20 19:27 . 2008-08-20 19:27 <DIR> d-------- C:\98ef2acd623800fc40
2008-08-19 00:05 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-08-19 00:05 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-19 00:05 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-08-19 00:05 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-19 00:05 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-19 00:05 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-19 00:03 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-15 18:19 . 2008-08-15 18:26 843,503,843 --a------ C:\lotrosetup-1a.bin
2008-08-14 17:00 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 17:00 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 22:02 . 2008-09-01 21:40 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 12:38 121,344 ----a-w C:\WINDOWS\system32\gxqwoui.dll
2008-09-08 04:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-07 22:43 --------- d-----w C:\Program Files\Trojan Remover
2008-09-07 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-06 14:45 --------- d-----w C:\Program Files\Yahoo! Games
2008-09-06 14:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-09-06 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-09-05 00:49 --------- d-----w C:\Program Files\Trend Micro
2008-09-02 00:46 --------- d-----w C:\Program Files\Pure Networks
2008-09-02 00:46 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-02 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-01 21:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-08-24 04:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\funkitron
2008-08-23 14:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-23 14:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 22:18 64,736 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-08-13 03:32 --------- d-----w C:\Program Files\Microsoft Picture It! 9
2008-08-06 00:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 00:19 --------- d-----w C:\Program Files\StorageSync
2008-08-02 03:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-07-20 14:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-07-20 14:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-07-20 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\PBGsavesDirectory
2008-07-20 14:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreshGames
2008-07-17 01:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\MysteryStudio
2008-07-08 22:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Kermit 95
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-02-04 19:55 56,912 ----a-w C:\Documents and Settings\Owner\g2mdlhlpx.exe
2005-04-04 17:41 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2001-03-26 15:13 32,768 ----a-w C:\Program Files\internet explorer\plugins\csutil.dll
.

((((((((((((((((((((((((((((( snapshot_2008-09-08_ 7.45.21.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-08 11:49:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-08 16:35:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-08 11:49:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-08 16:35:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-08 11:49:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-08 16:35:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2008-09-08 11:34 1394177 C:\Program Files\Yahoo! Games\Sally's Spa\SallysSpa.exe
2008-09-07 20:58 1394177 {AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP5\A0000101.exe

C:\WINDOWS\system32\tmwpkzn.dll
2003-03-31 07:00 121344 {AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP6\A0000157.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-08-21 914512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-03 2904064]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-21 155648]
"PDFPrint Tray Helper"="C:\PDFPrint\PDFPrint.exe" [2007-03-23 690176]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"nwiz"="nwiz.exe" [2004-03-03 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2003-09-02 C:\WINDOWS\system32\sstray.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 C:\WINDOWS\zHotkey.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo! Games\\Slingo Deluxe\\Slingo.exe"=
"C:\\Program Files\\Yahoo! Games\\JEOPARDY!\\JEOPARDY!.exe"=
"C:\\WINDOWS\\system32"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\PDFPrint\\PDFPrintService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"58937:TCP"= 58937:TCP:@xpsp2res.dll,-22009

R2 CSLServer;Co*STAR License Server;c:\Costar32\CSLServer.exe [2001-05-14 53248]
R2 PDFPrint;PDFPrint Listener Service;C:\PDFPRINT\PDFPRINTSERVICE.EXE [2007-04-17 723968]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 23552]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 666624]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 11:46:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-09-08 11:53:25 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-08 16:53:11
ComboFix2.txt 2008-09-08 12:46:05


Pre-Run: 143,443,783,680 bytes free
Post-Run: 143,457,968,128 bytes free

257 --- E O F --- 2008-08-21 12:07:34

Edited by cupidringmybelle, 08 September 2008 - 11:00 AM.

  • 0

Advertisements

#32
Egwene
Posted 08 September 2008 - 01:05 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hey cupidringmybelle,

Upload the following files in bold here please : http://www.bleepingc...e.php?channel=4

C:\Qoobox\Quarantine\C:\WINDOWS\System32\tmwpkzn.dll.vir
C:\Qoobox\Quarantine\C:\WINDOWS\System32\drivers\hfpvrdvl.sys.vir

Then, let's go on :)

1) Run a CFscript :

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Firefox-running-but-haven-t-installed-can-t-kill-t210946.html&st=30

Collect::
C:\WINDOWS\system32\gxqwoui.dll

FileLook::
C:\PDFPRINT\PDFPRINTSERVICE.EXE

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

2) Run Gmer :

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Regards,
Egwene.
  • 0

#33
cupidringmybelle
Posted 08 September 2008 - 01:49 PM

cupidringmybelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I went ahead and uploaded those two items to bleeping computer as you asked. But before running another CFScript on what you've included I need to let you know something about pdfprintservice.exe. The pdfprintservice.exe is a program that my company has written to allow users to execute and kick off adobe reader on their PC from within our Linux Box, and to view reports in PDF rather than going to a printer. Its not a virus or malware.

I'll await your changes to the CFScript instructions before proceeding.

Thanks,
Becky

Edited by cupidringmybelle, 08 September 2008 - 01:50 PM.

  • 0

#34
cupidringmybelle
Posted 08 September 2008 - 01:59 PM

cupidringmybelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I went ahead and downloaded the gmer and ran it as requested, here's the output file:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-08 14:57:21
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF45139AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF4513A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF4513958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF451396C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF4513A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF4513A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF4513AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF4513AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF45139EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF4513B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF4513A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF4513930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF4513944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF45139BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF4513B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF4513AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF4513B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF4513B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF4513996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF4513982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF4513A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF4513A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF4513B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF4513A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF45139D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----
  • 0

#35
Egwene
Posted 08 September 2008 - 03:06 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hey cupidringmybelle,

But before running another CFScript on what you've included I need to let you know something about pdfprintservice.exe. The pdfprintservice.exe is a program that my company has written to allow users to execute and kick off adobe reader on their PC from within our Linux Box, and to view reports in PDF rather than going to a printer. Its not a virus or malware.

I'll await your changes to the CFScript instructions before proceeding.


You did right, but no worries, i will not delete this file without knowing what it is. FileLook:: switch will just give me more informations about this file, nothing else :) But now, i know it's not malware by the way :)

I have a question if you please : Do you know what is it ? >> C:\Program Files\Yahoo! Games\Sally's Spa\SallysSpa.exe

Please do this now :

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Firefox-running-but-haven-t-installed-can-t-kill-t210946.html&st=30

Collect::
C:\WINDOWS\system32\gxqwoui.dll

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Regards,
Egwene.
  • 0

#36
cupidringmybelle
Posted 08 September 2008 - 04:25 PM

cupidringmybelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

I have a question if you please : Do you know what is it ? >> C:\Program Files\Yahoo! Games\[b]Sally's Spa\SallysSpa.exe


Yes, its a game I downloaded from Yahoo for my daughter to play. Is it causing a problem on my system?

I ran the CFScript again, and here are the results:

ComboFix 08-09-05.09 - Owner 2008-09-08 17:05:53.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.152 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gxqwoui.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-08 14:55 . 2008-09-08 14:55 250 --a------ C:\WINDOWS\gmer.ini
2008-09-08 13:33 . 2008-09-08 13:33 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-08 13:27 . 2008-09-08 17:04 <DIR> d-------- C:\Program Files\NOS
2008-09-08 13:27 . 2008-09-08 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-07 11:35 . 2008-09-07 11:35 <DIR> d-------- C:\_OTMoveIt
2008-09-06 18:55 . 2008-09-06 18:56 <DIR> d-------- C:\rsit
2008-09-05 23:25 . 2008-09-05 23:26 <DIR> d-------- C:\Program Files\ERUNT
2008-09-05 13:33 . 2008-09-06 09:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ITTNord
2008-09-04 22:32 . 2008-09-04 22:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-09-04 22:32 . 2008-09-04 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-09-04 18:33 . 2008-09-04 18:33 2,855 --a------ C:\WINDOWS\system32\mem.PIF
2008-09-01 19:43 . 2008-09-01 19:43 2 --a------ C:\WINDOWS\msoffice.ini
2008-09-01 19:10 . 2008-09-01 19:17 2,808 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-01 18:12 . 2008-09-04 21:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 18:12 . 2008-09-01 18:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-01 18:12 . 2008-09-01 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 18:12 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-01 18:12 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-01 17:27 . 2008-04-08 20:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-01 15:45 . 2008-09-01 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-01 15:44 . 2008-09-01 19:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-31 19:15 . 2008-08-31 19:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-31 18:32 . 2008-08-31 18:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-08-23 16:52 . 2008-08-23 16:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Go-Go Gourmet Chef of the Year
2008-08-23 09:33 . 2008-09-08 17:03 21,801 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-23 09:32 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-08-23 09:29 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-23 09:29 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-23 09:29 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-23 09:29 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-23 09:29 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-23 09:29 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-23 09:27 . 2008-08-23 09:28 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-23 09:27 . 2008-09-05 07:29 <DIR> d-------- C:\Program Files\McAfee
2008-08-23 09:27 . 2008-08-23 09:29 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-23 09:19 . 2008-08-31 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-23 07:51 . 2008-08-23 07:51 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-08-21 09:32 . 2008-08-22 16:31 3,350 --a------ C:\WINDOWS\COSTAR.TMP
2008-08-20 21:15 . 2008-08-23 09:07 174 --a------ C:\Documents and Settings\All Users\Application Data\ustore.dat
2008-08-20 20:45 . 2008-08-20 20:45 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-20 20:45 . 2008-08-20 20:45 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-20 20:45 . 2008-08-20 20:45 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-20 19:27 . 2008-08-20 19:27 <DIR> d-------- C:\98ef2acd623800fc40
2008-08-19 00:05 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-08-19 00:05 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-19 00:05 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-08-19 00:05 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-19 00:05 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-19 00:05 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-19 00:03 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-15 18:19 . 2008-08-15 18:26 843,503,843 --a------ C:\lotrosetup-1a.bin
2008-08-14 17:00 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 17:00 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 22:02 . 2008-09-01 21:40 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 18:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-08 17:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\MysteryStudio
2008-09-08 04:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-07 22:43 --------- d-----w C:\Program Files\Trojan Remover
2008-09-07 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-06 14:45 --------- d-----w C:\Program Files\Yahoo! Games
2008-09-06 14:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-09-06 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-09-05 00:49 --------- d-----w C:\Program Files\Trend Micro
2008-09-02 00:46 --------- d-----w C:\Program Files\Pure Networks
2008-09-02 00:46 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-02 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-01 21:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-08-24 04:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\funkitron
2008-08-23 14:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-23 14:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 22:18 64,736 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-08-13 03:32 --------- d-----w C:\Program Files\Microsoft Picture It! 9
2008-08-06 00:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 00:19 --------- d-----w C:\Program Files\StorageSync
2008-08-02 03:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-07-20 14:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-07-20 14:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-07-20 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\PBGsavesDirectory
2008-07-20 14:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreshGames
2008-07-08 22:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Kermit 95
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-02-04 19:55 56,912 ----a-w C:\Documents and Settings\Owner\g2mdlhlpx.exe
2005-04-04 17:41 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2001-03-26 15:13 32,768 ----a-w C:\Program Files\internet explorer\plugins\csutil.dll
.

((((((((((((((((((((((((((((( snapshot_2008-09-08_ 7.45.21.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-08 19:54:59 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-09-08 19:54:49 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2007-12-12 20:06:42 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-09-08 11:49:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-08 21:39:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-08 11:49:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-08 21:39:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-08 11:49:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-08 21:39:21 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-08 19:54:59 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-08-21 914512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-03 2904064]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-21 155648]
"PDFPrint Tray Helper"="C:\PDFPrint\PDFPrint.exe" [2007-03-23 690176]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2004-03-03 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2003-09-02 C:\WINDOWS\system32\sstray.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 C:\WINDOWS\zHotkey.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo! Games\\Slingo Deluxe\\Slingo.exe"=
"C:\\Program Files\\Yahoo! Games\\JEOPARDY!\\JEOPARDY!.exe"=
"C:\\WINDOWS\\system32"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\PDFPrint\\PDFPrintService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"58937:TCP"= 58937:TCP:@xpsp2res.dll,-22009

R2 CSLServer;Co*STAR License Server;c:\Costar32\CSLServer.exe [2001-05-14 53248]
R2 PDFPrint;PDFPrint Listener Service;C:\PDFPRINT\PDFPRINTSERVICE.EXE [2007-04-17 723968]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 23552]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 666624]

*Newly Created Service* - GMER
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 17:09:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-08 17:11:47
ComboFix-quarantined-files.txt 2008-09-08 22:11:34
ComboFix2.txt 2008-09-08 16:53:27
ComboFix3.txt 2008-09-08 12:46:05


Pre-Run: 143,019,958,272 bytes free
Post-Run: 143,019,446,272 bytes free

217 --- E O F --- 2008-08-21 12:07:34
  • 0

#37
Egwene
Posted 09 September 2008 - 04:45 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts

Yes, its a game I downloaded from Yahoo for my daughter to play. Is it causing a problem on my system?


If you think the source of this game is safe, no problem. :) From where did you download it ?

Have successfuly upload the file this time after running the Cfscript ?

We are nearly finished :)

1) Update Java :

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

2) Run Kaspersky Online :

Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

And please tell me how your computer is running now.

Regards,
Egwene.
  • 0

#38
cupidringmybelle
Posted 09 September 2008 - 11:11 AM

cupidringmybelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Yes, I was able to upload that file in CFScript. I had to change my firewall settings to allow that program to access the internet.

I installed the latest Java.

Here's the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 09, 2008 11:57:25
Records in database: 1203313
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 102503
Threat name: 4
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:14:34


File name / Threat name / Threats count

C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Owner\Desktop\Work Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Documents and Settings\Owner\Desktop\Work Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\HijackThis\backups\backup-20080820-195036-320.dll Infected: Trojan.Win32.FraudPack.gen 1
C:\QooBox\Quarantine\[4][email protected] Infected: Trojan.Win32.BHO.ext 1

The selected area was scanned.

To answer your question -- and to be quite honest, my computer was actually faster prior to downloading and installing the latest Java.

I figure I can run CCleaner and attempt to cleanup some areas that might be getting bogged down again.

I have a question for you -- what was the virus I had?

Thank you so much for your help so far.

Becky
  • 0

#39
Egwene
Posted 09 September 2008 - 03:43 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hey cupidringmybelle,

what was the virus I had?


I would say a malicious .dll file ( Delf ? ) injected by a rootkit.

Congralutations, your log looks clean :)

1) Uninstall combofix :

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

2) Run OTcleanIT :

Please Download OTcleanIT (OldTimer) : http://download.blee...r/OTCleanIt.exe

Open it and double-click on the "CleanUp" boutton.

3) Update windows :

Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

* Click Start.
* Select Settings and then Control Panel.
* Select Automatic Updates.
* Click Automatic (recommended)
* Choose a day and a time when you know the computer will be on and connected to the internet.
* Click Apply then OK.

4) Prevention/protection :

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • If you haven't a firewall on your computer, I advice you to install one of the following : Kerio / Commodo / ZoneAlarme.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
  • SpywareBlaster protects against bad ActiveX.
  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
    Have a look at this tutorial for IE-Spyad here

    Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here

Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

Regards,
Egwene.
  • 0

#40
cupidringmybelle
Posted 10 September 2008 - 05:50 AM

cupidringmybelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
1) Combofix uninstall - Done

2) Run OTCleanIt - Done

3) Update Windows - I already do this, automatically.

4) Prevention/protection

Firewall: I didn't have one before, but am running McAfee virus protection and firewall now.

Spybot Search and Destroy: I was running a fully updated version of this program when I got this infection and it never detected it. I even had Teatimer running fulltime in the background and nothing was discovered until my ISP contacted me. McAfee is not compatible with Spybot SD so I had to uninstall it to install McAfee's virus protection and Firewall. Do you know of another program similar to Spybot that is compatible with McAfee?


ATF Cleaner - Its now on my system and I will be using it often! :)

Google Toolbar - I will install.

Make Internet Explorer More Secure -- Settings were already as described.

MVPS Hosts file -- I tried to do this, but when I did, my system slowed to a crawl. Any ideas?


And again, thank you so much for you help!

Becky
  • 0

Advertisements

#41
Egwene
Posted 10 September 2008 - 09:10 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hey cupidringmybelle,

Glad we could help :)

Do you know of another program similar to Spybot that is compatible with McAfee?


I would say MBAM, but it hadn't real-time protection, expect if you paid for it :)

I tried to do this, but when I did, my system slowed to a crawl. Any ideas?


No idea :)

Regards,
Egwene.
  • 0

#42
Rorschach112
Posted 11 September 2008 - 06:11 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP