PDA

View Full Version : Malware removal>>What should I do next?


J-Rep
2008-10-29, 17:14
I've followed other post and have gotten to the part where I need someone
to read the Combofix txt file and advise me on what to do next.
thanks
Jrep

ComboFix 08-10-29.06 - Compaq_Owner 2008-10-29 10:35:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.198 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\FunWebProducts
C:\Documents and Settings\Compaq_Owner\My Documents\My Documents.url
C:\Documents and Settings\Compaq_Owner\My Documents\My Music\My Music.url
C:\Documents and Settings\Compaq_Owner\My Documents\My Videos\My Video.url
C:\Program Files\MyWebSearch
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\asks~1\?asks\
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-24 07:07 . 2008-10-15 12:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-15 03:58 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 03:58 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 03:58 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 03:58 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 03:58 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 03:58 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-04 15:23 . 2008-04-13 20:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-10-04 15:23 . 2008-04-13 20:11 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-10-04 15:23 . 2008-04-13 14:39 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-10-04 15:23 . 2008-04-13 14:39 14,592 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-29 14:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-29 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 14:03 --------- d-----w C:\Program Files\Trend Micro
2008-10-29 02:49 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-09-28 22:25 --------- d-----w C:\Program Files\HP
2008-09-13 02:49 --------- d-----w C:\Program Files\McAfee
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-02 02:34 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Smilebox
2008-08-06 03:19 37,344 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-11-20 03:35 4,722 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2005-11-24 00:54 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-14 21:54:32 C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

----a-w 180,269 2005-02-16 22:07:33 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 1,836,544 2007-07-28 01:09:33 C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe

----a-w 229,952 2006-09-12 05:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-03-30 14:36:40 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 32,881 2005-02-16 21:54:35 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 582,992 2007-08-04 06:33:14 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 366,400 2007-06-15 23:15:02 C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2007-09-28 01:17:36 C:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 282,624 2006-09-01 19:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-03-29 03:37:20 C:\Program Files\QuickTime\QTTask.exe

----a-w 233,472 2004-04-14 20:43:46 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 52,736 1998-05-07 16:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe

----a-w 15,360 2004-08-04 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe

----a-w 126,976 2004-11-02 15:59:42 C:\WINDOWS\system32\bak\hkcmd.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2005-10-31 1832]
Compaq Connections.lnk.disabled [2005-11-23 1918]
HP Digital Imaging Monitor.lnk.disabled [2008-05-20 1816]
Microsoft Office.lnk.disabled [2008-03-19 1738]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= C:\WINDOWS\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EPSON Stylus C40 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O5 "LPT1:" /M "Stylus C40"
"DriverUpdaterPro"=C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StopSignSsTsMon"="Rundll32.exe" "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
"AGRSMMSG"=AGRSMMSG.exe
"Alcmtr"=ALCMTR.EXE
"AlcWzrd"=ALCWZRD.EXE
"High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"EPSON Stylus CX4600 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"<NO NAME>"= :Yahoo! Music Engine
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-10-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www6.comcast.net/a
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Search - ?p=ZC

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 10:49:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-10-29 10:53:02 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-10-29 14:52:56

Pre-Run: 117,469,089,792 bytes free
Post-Run: 117,428,039,680 bytes free

187 --- E O F --- 2008-10-25 07:01:06
pskelley
2008-10-31, 13:46
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Malware removal>>What should I do next?
Pinned to the top of the forum are the directions, I posted "Before you Post" instructions above also. Read those directions, had you done so you would have seen this.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.
Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar.

If you still need help, read those directions and post the reguired HJT log.

Thanks
pskelley
2008-11-07, 13:28
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.