-
Computer booted up fine.
Internet connection appears to be fine as well.
Whitesmoke icons are on the desktop and remains in the startup menu.
However, the executable and directory the icons point to in "C:\Program Files" doesn't exist.
ComboFix 10-12-18.02 - Raymond Green 12/19/2010 9:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1512 [GMT -5:00]
Running from: c:\documents and settings\Raymond Green\Desktop\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\snetcfg.exe
G:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-11-19 to 2010-12-19 )))))))))))))))))))))))))))))))
.
2010-12-19 04:21 . 2010-12-19 04:22 -------- d-----w- c:\program files\ERUNT
2010-12-14 11:08 . 2010-12-14 11:08 -------- d-----w- c:\documents and settings\Raymond Green\Application Data\Leadertech
2010-12-13 06:47 . 2010-12-13 06:47 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 06:46 . 2010-12-13 06:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2009-10-28 20:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2009-10-28 20:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
c:\documents and settings\Raymond Green\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Seagate 2GE90A5R Product Registration.lnk - c:\documents and settings\Raymond Green\Application Data\Leadertech\PowerRegister\Seagate 2GE90A5R Product Registration.exe [2010-12-14 1731736]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [N/A]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/15/2003 5:57 PM 3456]
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-03 16:22]
2010-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-03 16:22]
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
AddRemove-tradingrooms-client-avx - c:\program files\Trading Rooms Technologies
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-19 09:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-12-19 09:50:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-19 14:50
Pre-Run: 222,743,883,776 bytes free
Post-Run: 222,909,427,712 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - A33D7543B44F59615E404E779CCBE6C1
-
Forgot this, the ComboFix log was posted directly from the infected computer.
First time this could be done during this problem.
-
Go here
c:\documents and settings\All Users\Start Menu\Programs\Startup
and remove WhiteSmoke
Then delete this folder
c:\program files\WhiteSmoke Translator
Then reboot and let me know if there still present or if you had problems removing those
-
Boot up was fine.
Any sign of Whitesmoke is gone.
-
-
ESET has been run.
No threats found.
-
Let me tell you about viruses , years ago when windows 95 came out viruses started to appear, they where written by kids or some low life that had nothing better to do, if you caught one it was more of a nuisance than anything, but not no more, this garbage is written by cyber criminals, organized gangs of thieves out of Russia, the Ukraine, China and other parts of the world. These people have only one goal, and thats to steal anything they can from you in the form of bank account numbers and log on info, credit card numbers and passwords to the sites you frequent and the list goes on. There are some threats going around now that are uncleanable, which means you would have to reformat your drive and reinstall windows, all documents and pictures would be infected so there all lost, not nice. In your case a Rootkit was installed infecting your Master Boot Record, that a series of files that boot up your computer. All appears fine now but the reason for my ranting is that you need to sit down, have a cold beer or whatever and rethink your surfing and internet habits so you dont get hit again.
So what we can do now is close this thread and then post for the other computer. I will be online on and off the rest of the day, I will look out for it and reply when I see it.
Before I close this let me know if you feel you still have any issues ?
-
Thanks for the update.
The problem began when I clicked on link about the Wikilinks story.
The primary computer hard drive went nuts (swap file on steriods).
When it lasted for about a minute, I pulled the internet cable.
I was unable to stop the hard drive going nuts.
Closing down applications and re-booting the computer wasn't possible.
So, I did something I never thought I would do ... I pulled the power plug.
After about 10 minutes, the power was plugged back in and the computer wouldn't boot up.
A couple of days later, the secondary computer had the same problem
without clicking on a news link abut Wikilinks.
So, I am not sure how this happened, but the computers will be fortified as well as possible.
The computer is running great now.
Thank you very much for your help.
As usual, a $75 donation will follow.
Regarding the other computer, since it won't boot,
I suppose I will need to wait for the Spybot boot CD-Rom to arrive,
unless you have a better idea.
When the CD arrives, I will start another thread.
Once again, thanks for your excellent help.
-
Thanks for your offer of a donation, there used for research and to help keep us online, thank you
have you tried booting to last known good
To Access Last Known Good
- Go to Start> Shut off your Computer> Restart
- Or if the computer is off press the power button
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Last Known Good
- Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
-
Yes, that was tried as well as safe mode, without success.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules