View Full Version : Browser has been hijacked
westripp
2008-12-07, 19:51
Hijack file attached, description below.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:45 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\DOCUME~1\WESTRI~1.DAD\LOCALS~1\Temp\Temporary Directory 6 for McafeeRootkitDetective.zip\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NSLU2 Flash Map Utility] C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll (file missing)
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196356373865
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196356622484
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202000i/AcDcToday.ocx
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file:///C:/Program%20Files/AutoCAD%202000i/InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202000i/AcPreview.ocx
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: gzipmod - C:\WINDOWS\SYSTEM32\gzipmod.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Network Location Awareness (NLA) NlaMcProxy (NlaMcProxy) - Unknown owner - C:\WINDOWS\system32\apphelpg.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 8653 bytes
My system is windows XP SP3, Mcafee security suite is loaded. I what appears to be a common malware issue (from what I read in the forums), a malware that redirects my web searches, won't allow me to reach any webiste that might help, and won't allow me to load Spybot S&D. I have downloaded the software, but the first thing spybot trys to do is reach the internet for an update and the malware blocks it and the load crashes. I tried loading Spybot onto a thumb drive from another PC and run it from there on the infected PC but it would not run. My guess is because doing it this way did not properly load spybot into my resgistry. I tried sharing the infected PC over my home network to another PC that had Spybot loaded, but could not get that PC to scan the infected drive (aborted). This same virus is also blocking Mcafee from updating, but I got around this by manually loading the updates and updating the registry entry. Mcafee found a virus after that, but the problem persists. One of the symptoms of this malware is that it loaded its own desktop on the PC that is black and flashed a banner telling me I have a virus that only they can fix and then locked out my ability to change my desktop screen.
FIRST QUESTION: Is it possible to run spybot from my thumbdrive? Are there some registry keys I can manually change to allow this to happen? I have another PC I can use to reach the internet or facilitate this issue if required. I do believe loading any software directly onto the infected PC or reaching any online scan or other site that might help from the infected PC won't work. I will continue to try things until I solve the issue. I don't want to reformat if at all possible as with the exception of web surfing and a really bad desktop screen, the PC is functional and I have many business files on the system that would take me days to rebuild. Does anyone have a process I can use. Thanks.
westripp is offline
shelf life
2008-12-11, 00:04
hi,
i would disconnect the computer in question from the internet. pull the plug at the router so the computer has no connectivity to the internet or other computers on your LAN.
you can try this. first from the other PC you can read through this guide about using combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix.
you can save the latest version of combofix to a usb flash drive for transfer to the computer in question.
note: before you save combofix to the drive ---> change the name to scanme.exe
then save it to the drive, transfer to infected computers desktop and double click the icon to start, follow the prompts. leave the thumb drive in the computer.
if all goes well after combofix is finished try running your antivirus and spybot. have the antivirus scan the usb flash drive also. usually a right click on the drive from ' my computer' then scan with.......
post the combofix log.
westripp
2008-12-12, 00:08
As I was directed, I ran Combofix and the log is posted below. There seems to be some improvement just from what I noticed when Combo fix rebooted the system, but I am refraining from using that PC until you are able to evaluate the combo fix log. The two notable things that happened after combofix was that I got two alerts from Mcafee. the first one warned me about a file called "Scanme". As this was what I renamed combofix to, I did not block the file. The second Mcafee alert was to a Registry change. No knowing what that was about, I blocked the change and then shut down. Upon shutdown, I noticed that Windows was showing pending updates. I again chose to shutdown without installing the updates, not sure if it was malware activity or not. The PC is currently off awaiting your evaluation. Thanks for all your help....:D:
Combofix log file:
ComboFix 08-12-09.03 - Admin 2008-12-11 17:39:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1154 [GMT -5:00]
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users.WINDOWS\Application Data\svhost.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\apphelpg.exe
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\gzipmod.dll
c:\windows\system32\k86.bin
c:\windows\system32\ntdll64.exe
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\tremir.bin
c:\windows\system32\twain_32
c:\windows\system32\twain_32\0001BF05.uf
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
c:\windows\system32\winscenter.exe
c:\windows\vmreg.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_NLAMCPROXY
-------\Legacy_VBAGZ
-------\Service_NlaMcProxy
-------\Service_vbagz
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.
2008-12-09 18:03 . 2008-12-09 18:03 23,040 --ahs---- c:\windows\system32\actxprxyh.dll
2008-12-09 17:24 . 2008-12-11 17:30 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-07 13:35 . 2008-12-07 13:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 11:52 . 2008-12-07 12:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-06 16:31 . 2008-12-07 11:49 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-06 16:29 . 2008-12-06 16:29 15,083,520 --a------ C:\spybotsd160.exe
2008-12-06 12:30 . 2008-12-06 12:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 18:49 . 2008-12-05 20:03 7 --a------ c:\windows\system32\answxt.bin
2008-12-05 18:31 . 2008-12-10 19:41 4,785 --a------ c:\windows\system32\warning.gif
2008-12-05 18:31 . 2008-12-10 19:41 1,349 --a------ c:\windows\system32\ahtn.htm
2008-12-05 18:31 . 2008-12-05 18:31 1 --a------ c:\windows\system32\uniq.tll
2008-12-05 18:31 . 2008-12-05 18:31 1 --a------ c:\windows\system32\test.ttt
2008-12-04 17:58 . 2008-12-04 17:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:12 . 2008-12-11 16:30 457 --a-s---- c:\windows\system32\407044704.dat
2008-11-23 18:26 . 2008-11-23 18:26 <DIR> dr-h----- c:\documents and settings\Admin\Application Data\yahoo!
2008-11-23 18:24 . 2008-11-23 18:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-11-23 18:23 . 2008-11-23 18:23 <DIR> d-------- c:\documents and settings\Admin
2008-11-23 18:23 . 2008-12-09 17:18 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-12 19:12 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 19:10 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:25 --------- d-----w c:\program files\HP
2008-12-06 16:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 16:17 --------- d-----w c:\program files\Google
2008-12-06 16:10 --------- d-----w c:\program files\eMusic Download Manager
2008-12-06 16:07 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2008-12-04 23:23 --------- d-----w c:\documents and settings\Wes Tripp.DADS-PC\Application Data\McAfee
2008-11-14 23:16 --------- d-----w c:\program files\Windows Desktop Search
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 21:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 01:39 --------- d-----w c:\program files\Virtual Earth 3D
2008-10-11 17:57 --------- d-----w c:\program files\123PDFConverter
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080630\index.dat
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.
------- Sigcheck -------
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2002-08-29 07:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-12-09 17:24 141312 1914cb5ecd8de6aa73455d36774ef8fb c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NSLU2 Flash Map Utility"="c:\program files\NSLU2 Flash Map Utility\StorageLink.exe" [2004-04-30 245760]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
c:\documents and settings\Wes Tripp.DADS-PC\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"McAfee Backup"=c:\program files\McAfee\MBK\McAfeeDataBackup.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
S3 Cdsvcho;Cdsvcho; []
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-07-17 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-07-17 7680]
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
HKLM-Run-Framework Windows - frmwrk32.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
O16 -: DirectAnimation Java Classes
O16 -: Microsoft XML Parser for Java
c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
c:\windows\system32\BSTIEPrintCtl1.dll - O16 -: {A7EA8AD2-287F-11D3-B120-006008C39542}
hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 17:45:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-12-11 17:48:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 22:48:27
Pre-Run: 106,026,717,184 bytes free
Post-Run: 106,544,340,992 bytes free
222 --- E O F --- 2008-12-11 01:10:02
shelf life
2008-12-12, 04:22
hi,
ok good. i would say its safe to use the computer. we will get another download as another check for any malware. you can also update spybot and your Mcafee suite and run them if you want. after you run malwarebytes, rescan and post a new hjt log also along with the malwarebytes log.
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:
http://www.malwarebytes.org/mbam.php
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
please post the MBAM log in reply
westripp
2008-12-13, 02:05
Hello,
I ran Spybot twice and then ran Malwarebytes. each application in turn found more malware on my system. While this was going on, I updated Mcafee and Mcafee alerted me to a few activity incidents that I was able to address. I then reran Hijackthis as well. My desktop once again is free of that annoying blinking banner beconning me to go further down that black hole known as Spyguard 2008. It looks as if all is once again right in the world as far as my PC goes. I have posted the Malwarebytes log and the Hijacthis log below for your review. I am looking foward to a clean bill of health from your check up of these logs and can't thank you enough with regards to your help in this matter. I normally do a pretty good job staying ahead of these pesky PC colds, but this time it came on like Chineese bird flu and I was over my head before I could say Bill Gates! Thanks again.
Malwarebytes Log:
Malwarebytes' Anti-Malware 1.31
Database version: 1495
Windows 5.1.2600 Service Pack 3
12/12/2008 7:42:18 PM
mbam-log-2008-12-12 (19-42-18).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138366
Time elapsed: 47 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d3b5b507-0652-4cf2-8c12-ebbfb2bebf0e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{179391c4-b688-46bf-9f08-4784d0e03a5a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Summitsoft\SystemTech XP\iea.exe (Rogue.PornCleanser) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbrsr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6D772FB-128D-40A2-8A9D-902CC9B82908}\RP1\A0001001.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6D772FB-128D-40A2-8A9D-902CC9B82908}\RP1\A0001002.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6D772FB-128D-40A2-8A9D-902CC9B82908}\RP1\A0001003.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6D772FB-128D-40A2-8A9D-902CC9B82908}\RP1\A0001004.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D6D772FB-128D-40A2-8A9D-902CC9B82908}\RP1\A0001005.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Internet Explorer\DLLs\kknrmvlorl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HiJackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:30 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NSLU2 Flash Map Utility] C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196356373865
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196356622484
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202000i/AcDcToday.ocx
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file:///C:/Program%20Files/AutoCAD%202000i/InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202000i/AcPreview.ocx
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 8122 bytes
shelf life
2008-12-13, 17:35
hi,
your welcome. couple things left to do.
for your info:
these that MBAM found:
C:\Qoobox\Quarantine
are combofix's Quarantine folder, combofix already removed them
these:
C:\System Volume Information\_restore
are your computers restore points, which we will clean out as a last step.
first we will use combofix (scanme) again. you might want to exit/disable Macafee first so you dont get the warning like last time
so to use combofix:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
c:\windows\system32\uniq.tll
c:\windows\system32\test.ttt
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.
then we can finish it all up.
westripp
2008-12-13, 21:12
Here is the new combo fix log below.... I wasn't sure from what you said if running the script file over combofix was what was going to clean out my system restore points or if that is another step we still need to do. I can tell you that after I ran combo fix, I went to try to open up system restore so see if there were any system restore points at this time, but all I got was the hourglass for a second and then nothing...It apparently would not open. A quick read of the combofix log (Like I really know what I am reading) seemed to indicate there was still some infections. Please look it over and let me know where we stand on the cleanout and the status of System Restore. Additionally, since this issue, I have had the same three Windows security updates for Word, Excel, and Outlook trying to install over the last couple of days and continue to fail the install. I am not sure if this is related or not.
Thanks again,
Wes
Combofix Log:
ComboFix 08-12-12.05 - Wes Tripp 2008-12-13 14:34:20.2 - NTFSx86
Running from: c:\documents and settings\Wes Tripp.DADS-PC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wes Tripp.DADS-PC\Desktop\cfscript.txt
FILE ::
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\actxprxyh.dll
c:\windows\system32\test.ttt
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VBAGZ
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 18:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 17:16 . 2008-12-12 17:16 281 --a------ c:\windows\wininit.ini
2008-12-09 17:24 . 2008-12-12 19:45 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-07 13:35 . 2008-12-07 13:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 11:52 . 2008-12-12 16:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-06 16:31 . 2008-12-12 17:26 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-06 16:29 . 2008-12-06 16:29 15,083,520 --a------ C:\spybotsd160.exe
2008-12-06 12:30 . 2008-12-06 12:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 18:49 . 2008-12-05 20:03 7 --a------ c:\windows\system32\answxt.bin
2008-12-04 17:58 . 2008-12-04 17:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:12 . 2008-12-11 16:30 457 --a-s---- c:\windows\system32\407044704.dat
2008-11-23 18:26 . 2008-11-23 18:26 <DIR> dr-h----- c:\documents and settings\Admin\Application Data\yahoo!
2008-11-23 18:24 . 2008-11-23 18:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-11-23 18:23 . 2008-11-23 18:23 <DIR> d-------- c:\documents and settings\Admin
2008-11-23 18:23 . 2008-12-09 17:18 1,324 --a------ c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:25 --------- d-----w c:\program files\HP
2008-12-06 16:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 16:17 --------- d-----w c:\program files\Google
2008-12-06 16:10 --------- d-----w c:\program files\eMusic Download Manager
2008-12-06 16:07 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2008-12-04 23:23 --------- d-----w c:\documents and settings\Wes Tripp.DADS-PC\Application Data\McAfee
2008-11-14 23:16 --------- d-----w c:\program files\Windows Desktop Search
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 21:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 01:39 --------- d-----w c:\program files\Virtual Earth 3D
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080630\index.dat
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-11_17.47.50.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-11 22:37:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-13 19:23:46 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-11 22:37:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-13 19:23:46 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2008-12-09 22:24:19 141,312 ----a-w c:\windows\system32\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NSLU2 Flash Map Utility"="c:\program files\NSLU2 Flash Map Utility\StorageLink.exe" [2004-04-30 245760]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" /background
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"McAfee Backup"=c:\program files\McAfee\MBK\McAfeeDataBackup.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\autorun.exe autocad\R15.0\ACAD-1:409\MSI
\Shell\verb\command - winhlp32.exe readme.hlp
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
O16 -: DirectAnimation Java Classes
O16 -: Microsoft XML Parser for Java
c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Mozilla\Firefox\Profiles\fnf8fpj7.default\
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 14:38:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 3100 Series\lxbrksk.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-13 14:41:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 19:41:30
ComboFix2.txt 2008-12-11 22:48:36
Pre-Run: 106,154,455,040 bytes free
Post-Run: 106,198,441,984 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
182 --- E O F --- 2008-12-13 02:18:58
westripp
2008-12-13, 21:27
Forgot to mention this in my last post, but right after I ran combo fix this last time, I accessed my Yahoo mail account and the browser Internet Explorer) had what is the normal screen format all over the place making it difficult to read. At first I figured yahoo was having an issue because I didn't see anyting wrong with other screens on the Internet. I then went and opened Firefox and accessed the same page and my Mail screen looked just fine. Only five minutes before I ran combofix I was up on that mail screen with IE and it looked fine. Obviously something has run a muck.... While waiting on hearing from you, I will run a scan with mcafee and spybot and see if anything shakes out.
Wes
westripp
2008-12-14, 14:43
Rather than go back and fourth, I went ahead and did some of the same steps you had already told me to do previously in order to get you the most info as soon a possible. One other observation I wanted to make is that this recent setback seemed to also happen after I disabled Mcafee (per your instructions) to avoid its interaction with combofix to get you that last log. Its almost like something was waiting at the gates for me to leave the door unlocked.
Anyway, here is some more info for you:
Mcafee Security Suite
*Alert Icon in system tray currently says "Not protected"
*Security Center Window blank when opened, preventing the use of Mcafee
*Mcafee appears to update when I right click on system tray Icon.
*Cannot innitiate a virus scan as the window is blank.
*I can still reach Mcafee.com from my browser
Spybot
*Ran another Scan
*Found 19 Tracking cookies
*Got an error when trying to update spybot "Error retrieving update info file"
Hijackthis
*Ran another Scan
*Log file attached below
Malwarebytes
*Ran another Scan
*Log file attached below
Combofix
*Ran another Scan
*Log file attached below
*Appears to update from Web when requested
Hijackthis log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:22 PM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NSLU2 Flash Map Utility] C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196356373865
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196356622484
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202000i/AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file:///C:/Program%20Files/AutoCAD%202000i/InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202000i/AcPreview.ocx
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 7783 bytes
Malwarebytes Log file:
Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 3
12/13/2008 11:07:18 PM
mbam-log-2008-12-13 (23-07-18).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138864
Time elapsed: 45 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Combofix Log file:
ComboFix 08-12-12.05 - Wes Tripp 2008-12-13 18:31:10.3 - NTFSx86
Running from: c:\documents and settings\Wes Tripp.DADS-PC\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 18:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 17:16 . 2008-12-12 17:16 281 --a------ c:\windows\wininit.ini
2008-12-09 17:24 . 2008-12-12 19:45 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-07 13:35 . 2008-12-07 13:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 11:52 . 2008-12-12 16:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-06 16:31 . 2008-12-12 17:26 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-06 16:29 . 2008-12-06 16:29 15,083,520 --a------ C:\spybotsd160.exe
2008-12-06 12:30 . 2008-12-06 12:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 18:49 . 2008-12-05 20:03 7 --a------ c:\windows\system32\answxt.bin
2008-12-04 17:58 . 2008-12-04 17:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:12 . 2008-12-11 16:30 457 --a-s---- c:\windows\system32\407044704.dat
2008-11-23 18:26 . 2008-11-23 18:26 <DIR> dr-h----- c:\documents and settings\Admin\Application Data\yahoo!
2008-11-23 18:24 . 2008-11-23 18:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-11-23 18:23 . 2008-11-23 18:23 <DIR> d-------- c:\documents and settings\Admin
2008-11-23 18:23 . 2008-12-09 17:18 1,324 --a------ c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:25 --------- d-----w c:\program files\HP
2008-12-06 16:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 16:17 --------- d-----w c:\program files\Google
2008-12-06 16:10 --------- d-----w c:\program files\eMusic Download Manager
2008-12-06 16:07 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2008-12-04 23:23 --------- d-----w c:\documents and settings\Wes Tripp.DADS-PC\Application Data\McAfee
2008-11-14 23:16 --------- d-----w c:\program files\Windows Desktop Search
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 21:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 01:39 --------- d-----w c:\program files\Virtual Earth 3D
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080630\index.dat
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-11_17.47.50.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-11 22:37:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-13 23:14:21 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-11 22:37:59 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-13 23:14:21 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-12-13 20:44:14 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-12-09 22:24:19 141,312 ----a-w c:\windows\system32\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NSLU2 Flash Map Utility"="c:\program files\NSLU2 Flash Map Utility\StorageLink.exe" [2004-04-30 245760]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" /background
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"McAfee Backup"=c:\program files\McAfee\MBK\McAfeeDataBackup.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\autorun.exe autocad\R15.0\ACAD-1:409\MSI
\Shell\verb\command - winhlp32.exe readme.hlp
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
O16 -: DirectAnimation Java Classes
O16 -: Microsoft XML Parser for Java
c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Mozilla\Firefox\Profiles\fnf8fpj7.default\
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 18:33:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-13 18:34:37
ComboFix-quarantined-files.txt 2008-12-13 23:34:18
ComboFix2.txt 2008-12-13 19:41:43
ComboFix3.txt 2008-12-11 22:48:36
Pre-Run: 106,075,049,984 bytes free
Post-Run: 106,071,846,912 bytes free
158 --- E O F --- 2008-12-13 19:56:09
shelf life
2008-12-14, 16:58
hi,
please hold off on any installing any window updates for now and using system restore.
you can delete your copy of combofix like this:
start>run and type in combofix /u
click ok or enter
note: the space after the x and before the /
we will get another copy of combofix and this time install the ms recovery comsole first before continuing with combofix. that should fix the:
userinit.exe . . . is infected!!
by deleting and replacing it back with the real copy from your installation files.
in the guide for combofix there are two ways to install it. download it form the MS site or combofix can do it automatically for you.
after its installed continue on with combofix following the prompts.
the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
westripp
2008-12-14, 19:12
I went ahead and deleted and reinstalled combo fix and windows recovery console. I innitially tried to install recovery console from my Windows disk, but since there have been multiple upgrades from the orig. SP2 disks, it told me that my loaded version was newer and I should cancel. I ended up having Combofix install Windows recovery console for me from the net. While I am not getting that infection alert in the combofix log file now, all the other issues recently mentioned, (Mcafee, IE brower for Yahoo mail, etc) have not changed. The new Combofix log file is listed below. Please tell me what can be done to address the current issues. Thanks.
Combofix log file:
ComboFix 08-12-14.01 - Wes Tripp 2008-12-14 12:59:44.4 - NTFSx86
Running from: c:\documents and settings\Wes Tripp.DADS-PC\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 18:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 17:16 . 2008-12-12 17:16 281 --a------ c:\windows\wininit.ini
2008-12-09 17:24 . 2008-12-12 19:45 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-07 13:35 . 2008-12-07 13:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 11:52 . 2008-12-12 16:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-06 16:31 . 2008-12-12 17:26 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-06 16:29 . 2008-12-06 16:29 15,083,520 --a------ C:\spybotsd160.exe
2008-12-06 12:30 . 2008-12-06 12:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 18:49 . 2008-12-05 20:03 7 --a------ c:\windows\system32\answxt.bin
2008-12-04 17:58 . 2008-12-04 17:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:12 . 2008-12-11 16:30 457 --a-s---- c:\windows\system32\407044704.dat
2008-11-23 18:26 . 2008-11-23 18:26 <DIR> dr-h----- c:\documents and settings\Admin\Application Data\yahoo!
2008-11-23 18:24 . 2008-11-23 18:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-11-23 18:23 . 2008-11-23 18:23 <DIR> d-------- c:\documents and settings\Admin
2008-11-23 18:23 . 2008-12-09 17:18 1,324 --a------ c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:25 --------- d-----w c:\program files\HP
2008-12-06 16:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 16:17 --------- d-----w c:\program files\Google
2008-12-06 16:10 --------- d-----w c:\program files\eMusic Download Manager
2008-12-06 16:07 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2008-12-04 23:23 --------- d-----w c:\documents and settings\Wes Tripp.DADS-PC\Application Data\McAfee
2008-11-14 23:16 --------- d-----w c:\program files\Windows Desktop Search
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 21:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 01:39 --------- d-----w c:\program files\Virtual Earth 3D
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080630\index.dat
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NSLU2 Flash Map Utility"="c:\program files\NSLU2 Flash Map Utility\StorageLink.exe" [2004-04-30 245760]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" /background
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"McAfee Backup"=c:\program files\McAfee\MBK\McAfeeDataBackup.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\autorun.exe autocad\R15.0\ACAD-1:409\MSI
\Shell\verb\command - winhlp32.exe readme.hlp
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
O16 -: DirectAnimation Java Classes
O16 -: Microsoft XML Parser for Java
c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Mozilla\Firefox\Profiles\fnf8fpj7.default\
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 13:01:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-14 13:03:06
ComboFix-quarantined-files.txt 2008-12-14 18:02:45
ComboFix2.txt 2008-12-13 23:34:41
Pre-Run: 106,028,593,152 bytes free
Post-Run: 106,034,544,640 bytes free
145 --- E O F --- 2008-12-14 13:29:24
westripp
2008-12-14, 19:16
I went ahead and deleted and reinstalled combo fix and windows recovery console. I innitially tried to install recovery console from my Windows disk, but since there have been multiple upgrades from the orig. SP2 disks, it told me that my loaded version was newer and I should cancel. I ended up having Combofix install Windows recovery console for me from the net. While I am not getting that infection alert in the combofix log file now, all the other issues recently mentioned, (Mcafee, IE brower for Yahoo mail, etc) have not changed. The new Combofix log file is listed below. Please tell me what can be done to address the current issues. Thanks.
Combofix log file:
ComboFix 08-12-14.01 - Wes Tripp 2008-12-14 12:59:44.4 - NTFSx86
Running from: c:\documents and settings\Wes Tripp.DADS-PC\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-12 18:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-12 18:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 18:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 17:16 . 2008-12-12 17:16 281 --a------ c:\windows\wininit.ini
2008-12-09 17:24 . 2008-12-12 19:45 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-07 13:35 . 2008-12-07 13:35 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 11:52 . 2008-12-12 16:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-06 16:31 . 2008-12-12 17:26 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-06 16:29 . 2008-12-06 16:29 15,083,520 --a------ C:\spybotsd160.exe
2008-12-06 12:30 . 2008-12-06 12:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 18:49 . 2008-12-05 20:03 7 --a------ c:\windows\system32\answxt.bin
2008-12-04 17:58 . 2008-12-04 17:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:12 . 2008-12-11 16:30 457 --a-s---- c:\windows\system32\407044704.dat
2008-11-23 18:26 . 2008-11-23 18:26 <DIR> dr-h----- c:\documents and settings\Admin\Application Data\yahoo!
2008-11-23 18:24 . 2008-11-23 18:24 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-11-23 18:23 . 2008-11-23 18:23 <DIR> d-------- c:\documents and settings\Admin
2008-11-23 18:23 . 2008-12-09 17:18 1,324 --a------ c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:25 --------- d-----w c:\program files\HP
2008-12-06 16:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 16:17 --------- d-----w c:\program files\Google
2008-12-06 16:10 --------- d-----w c:\program files\eMusic Download Manager
2008-12-06 16:07 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2008-12-04 23:23 --------- d-----w c:\documents and settings\Wes Tripp.DADS-PC\Application Data\McAfee
2008-11-14 23:16 --------- d-----w c:\program files\Windows Desktop Search
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 21:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 01:39 --------- d-----w c:\program files\Virtual Earth 3D
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062320080630\index.dat
2008-07-13 22:59 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="c:\spybot - search & destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"NSLU2 Flash Map Utility"="c:\program files\NSLU2 Flash Map Utility\StorageLink.exe" [2004-04-30 245760]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-08-01 684032]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"VTPreset"="VTPreset.exe" [2004-02-24 c:\windows\system32\VTPreset.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" /background
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"McAfee Backup"=c:\program files\McAfee\MBK\McAfeeDataBackup.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\autorun.exe autocad\R15.0\ACAD-1:409\MSI
\Shell\verb\command - winhlp32.exe readme.hlp
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
O16 -: DirectAnimation Java Classes
O16 -: Microsoft XML Parser for Java
c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Wes Tripp.DADS-PC\Application Data\Mozilla\Firefox\Profiles\fnf8fpj7.default\
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 13:01:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-14 13:03:06
ComboFix-quarantined-files.txt 2008-12-14 18:02:45
ComboFix2.txt 2008-12-13 23:34:41
Pre-Run: 106,028,593,152 bytes free
Post-Run: 106,034,544,640 bytes free
145 --- E O F --- 2008-12-14 13:29:24
shelf life
2008-12-14, 22:30
malware can reset security settings and mess with AV. for now try a reboot and see if the mcafee problem is any better.
westripp
2008-12-15, 04:35
I am still having issues, only worse. Mcafee tech support advised me that it could be Java. I reloaded Java.... no fix. They then analyzed PC and said it could be conflict between mcafee and malwarebytes and spybot. I unloaded malwarebytes and spybot, along with Mcafee, as they directed, and now I can't reach mcafee site to reload and mail screen in IE still messed up. Seems like my problem went from bad to better to worse. Don't know what do to now.
shelf life
2008-12-15, 23:34
hi,
your java was outdated, you should also remove older versions of java that might be listed in add/remove programs panel.
MBAM, Spybot conflict with Mcafee? never heard of anything like that before.
have you been able to get to the Mcafee site? do you have a paid subscription with them? I can give links to 3 or 4 free antivirus apps that can replace Mcafee.
westripp
2008-12-16, 03:04
Hi,
even before your post, I removed and updated JAVA to newest version 6.0 (11). still had same issue... To be specific, I could reach the Mcafee download site, but the installer window would go blank when opened, making vitually useless. I went back to Mcafee and they then told me my version of JAVA was too NEW! and not supported by Mcafee. They sent me a link for MS download site for Microsoft windows script version 5.7. It didn't say it was JAVA, but I guessed it must be the MS version of it. So I tried to download it, but becuase I had SP3, it would not download. So I removed SP3 and then downloaded 5.7, but the problem stayed the same. Now I try to go back to the Mcafee on line chat, and now I cant open the on line chat window! I went to the Java site, and did the JAVA check, and it did not recognize that I had JAVA on the PC!. I then went and reinstalled the newest JAVA, and still have the same issues downloading Mcafee and how my IE explorer displays my Yahoo mail screen. I am sure these are just symptoms of a bigger issue, but these are just the places I see the problem at this time.
So here I am, no Virus protection, Can't download Mcafee, Yahoo mail looks like crap on IE (Firefox is OK) and I don't have SP3 anymore! And on top of all this, my wireless connection keeps tripping offline!
I think at this point, since my Offline activity (ms word and other apps) don't seem effected, I am going to back up my files to a another drive and take the next week reformating my drive and reloading all my software. While the problems seem minor and workable, they don't get any better and seem to constantly develop new issues. Before too long, my offline files might not be accessible. Something has got to give.....
Wes.
shelf life
2008-12-16, 04:29
hi westripp,
well i guess some good news is that you dont have malware and you backup files. I think most people do not do backups.
Sometimes a re-format is the easiest and quickest thing to do. I actually reformat Windows at least once a year. everything i want to keep can fit on a 2gb usb drive. dont forget to get all the windows updates, now that may take some time! good luck and happy safe surfing.