Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote Spamming From My Computer


  • This topic is locked This topic is locked
16 replies to this topic

#1 always_forever

always_forever

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 20 August 2008 - 05:36 AM

Hi, I have been contacted by my internet provider saying I have a virus or something that is using my internet connection to send spam. I have run all the scans, and then some, and have found and removed some trojans etc. This has been going on for a couple weeks... I ran all the scans, contacted my ISP and thought all was well, but yesterday received an email stating there was still something wrong. So if someone could have a look at this and advise me, I'd appreciate it! I'm going back to bed for a couple hours now but will check back. Thanks! :-)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:08 AM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pimpmysearch.com/home.html?gname=TUBBY
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188454589125
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E27C92B-1264-101C-8A2F-040224009C02} (Calendar Control 8.0) - http://selfhelpworks.com/mscal.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.cogeco.ca/en/OLS3.3/fscax.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10754 bytes

BC AdBot (Login to Remove)

 


m

#2 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 20 August 2008 - 08:07 AM

Hi always_forever, welcome to BC.

Before we get into the fixes, please disable Spybot's TeaTimer, as it may interfere with the process.
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Now, go ahead and download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Next, please download Malwarebytes' Anti-Malware and save it to your Desktop.
Alternate download location
Alternate download location

Double-click mbam-setup.exe to install the application.
  • Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Please post that log in your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.



Then, please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next response, please be sure to include the logs from MBAM and Kaspersky along with a new HijackThis log.

#3 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 20 August 2008 - 02:45 PM

Hi, thanks for the welcome & thanks for your help with this.
I have done everything you said, except I couldn't find the TeaTimer in the Start Up list so I assumed it was ok.

Both the scans that you asked for logs for were comepletely clean, no problems found. Hopefully I did it right, even without finding the second TeaTimer entry.

Here's the new HiJackThis log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:07 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.crawler.com/search/dispatcher.a...&tbid=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.pimpmysearch.com/home.html?gname=TUBBY
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

127.0.0.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} -

c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

(no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program

Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

-Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia

Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) -

http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) -

http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) -

http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) -

http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...eb_site.cab?118

8454589125
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E27C92B-1264-101C-8A2F-040224009C02} (Calendar Control 8.0) -

http://selfhelpworks.com/mscal.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -

https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) -

http://www.cogeco.ca/en/OLS3.3/fscax.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program

Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program

Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10535 bytes

#4 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 20 August 2008 - 05:04 PM

Hi again, let's check to make sure there aren't any rootkits present.

First, download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • Then click OK.
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and make sure you are on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan.


Next, please download and unzip Rootkit Revealer to your desktop.

Note: Before performing a scan it is recommended to do the following to ensure the best results for a simpler and clearer log file to analyze:
1) Disconnect from or physically unplug the cable from the PC to the Internet connection.
2) Close down All Scheduling/Updating + Running Background tasks, etc.
3) Disable/turn off any program that might activate during the scan such as screensaver, anti-virus, anti-spyware. Programs that activate during the scan may cause RKR to display inaccurate/misleading log results.
4) Then after starting the scan, DO NOT not use the computer until the scan has completed.
5) When the scan has finished, save the log file and re-enable those programs you closed down, or reboot and then you can reconnect to the Internet.

Now launch rootkit revealer on the system and press the Scan button.
Please post the log here in this thread using Add Reply
(please double check that it has all been posted as it may be too long for one post)

In your next response, please be sure to include the logs from GMER and RootkitRevealer. Also, please make sure the lists don't come out oddly spaced like the last HijackThis log. You may need to adjust the setting for Word Wrap in Notepad. (It's under the Format tab.)

#5 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 20 August 2008 - 07:29 PM

Ok, bear with me. I'm getting very frustrated. Each page is taking like 5 minutes to open, if it opens at all. I just lost my reply here and am posting it again.

Here's the log for gmer and I'm hoping the text is doing what it's supposed to:



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-20 18:42:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF42F09AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF42F0A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF42F0958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF42F096C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF42F0A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF42F0A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF42F0AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF42F0AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF42F09EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF42F0B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF42F0A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF42F0930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF42F0944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF42F09BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF42F0B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF42F0AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF42F0AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF42F0A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF42F0B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF42F0B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF42F0996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF42F0982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF42F0A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF42F0A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF42F0B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF42F0A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF42F09D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

Now, I scanned with RootkitRevealer and it found 2 entries, but I couldn't get it to save the log. I did it twice in fact, and both times it disappeared or came up blank. If you can lend some wisdom on saving the logfile, I will try again.
Thanks again for all this!


#6 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 21 August 2008 - 08:19 PM

Hi again, did the entries RootkitRevealer found look similar to these by chance?

HKLM\SECURITY\Policy\Secrets\SAC* 1/25/2008 1:33 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/25/2008 1:33 AM 0 bytes Key name contains embedded nulls (*)

In any event, let's try this one.

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Note: If Blacklight does not work, rename fsbl.exe to zsbl.exe and try running it again.

#7 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 21 August 2008 - 10:22 PM

I think that log did have 2 entries that said something like that. Do I need to rerun it?

Here's the latest log you asked for...


08/21/08 22:50:35 [Info]: BlackLight Engine 1.0.70 initialized
08/21/08 22:50:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/21/08 22:50:35 [Note]: 7019 4
08/21/08 22:50:35 [Note]: 7005 0
08/21/08 22:50:42 [Note]: 7006 0
08/21/08 22:50:42 [Note]: 7022 0
08/21/08 22:50:42 [Note]: 7011 1688
08/21/08 22:50:42 [Note]: 7035 0
08/21/08 22:50:42 [Note]: 7026 0
08/21/08 22:50:43 [Note]: 7026 0
08/21/08 22:50:47 [Note]: FSRAW library version 1.7.1024
08/21/08 22:58:21 [Note]: 2000 1012
08/21/08 22:59:34 [Note]: 7007 0

thanks!

#8 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 22 August 2008 - 09:19 AM

Hi again, for now don't worry about running it again. Let's do this instead.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Please include the report (located at C:\ComboFix.txt) in your next response.

#9 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 22 August 2008 - 01:44 PM

I can't install the Recovery Console. I don't have the Windows CD so according to the instructions, when I drag the Recovery Console over onto Combofix it should automatically load it, and all that happens is Combofix tries to open. There's no message saying that the Recovery Console was successfully installed.
I don't know what to do about it. :thumbsup:

#10 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 22 August 2008 - 02:25 PM

If I'm understanding what you mean correctly that is what is supposed to happen.

After dragging it onto ComboFix, ComboFix will want to run (looks like the program just wants to run normally). However, you should then get two messages about installing the recovery console. Then, you should be told it was successfully installed. You will press No so it doesn't continue. The guide includes the instructions for disabling protection and you can follow it for the rest. :thumbsup:

#11 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 22 August 2008 - 03:21 PM

Yep, that was it! I just got worried prematurely, lol.
Here's the ComboFix log:


ComboFix 08-08-21.02 - Family 2008-08-22 15:57:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.258 [GMT -4:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Family\Application Data\macromedia\Flash Player\#SharedObjects\AFED72NB\interclick.com
C:\Documents and Settings\Family\Application Data\macromedia\Flash Player\#SharedObjects\AFED72NB\interclick.com\ud.sol
C:\Documents and Settings\Family\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Family\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-22 09:21 . 2007-10-24 01:47 282,112 --a------ C:\WINDOWS\system32\TBD3DB.tmp
2008-08-21 22:47 . 2008-08-21 22:47 1,018,520 --a------ C:\fsbl.exe
2008-08-21 11:37 . 2008-08-22 09:19 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-20 18:42 . 2008-08-20 19:00 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 10:07 . 2008-08-20 10:07 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Malwarebytes
2008-08-20 10:06 . 2008-08-20 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 21:09 . 2008-08-18 22:12 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-18 15:45 . 2008-08-18 15:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 17:53 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-07 08:02 . 2008-08-22 15:55 12,373 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-07 07:59 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-08-07 07:55 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-07 07:54 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-07 07:54 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-07 07:54 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-07 07:54 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-07 07:54 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-07 07:53 . 2008-08-07 07:53 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-06 20:05 . 2008-08-18 09:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-06 19:30 . 2008-08-07 07:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-06 19:29 . 2008-08-21 11:37 <DIR> d-------- C:\Program Files\McAfee
2008-08-06 18:21 . 2008-08-06 18:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-06 18:20 . 2008-08-06 20:14 <DIR> d-------- C:\Documents and Settings\Family\.housecall6.6
2008-08-06 09:47 . 2008-08-06 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-06 08:09 . 2008-08-21 10:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-06 08:09 . 2008-08-18 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 21:14 . 2008-08-05 21:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-08-05 21:14 . 2008-08-05 21:14 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2008-08-04 13:01 . 2008-08-04 13:01 <DIR> d-------- C:\Program Files\iPod
2008-08-03 16:39 . 2008-08-03 16:41 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-02 12:51 . 2008-08-02 12:51 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-02 08:57 . 2008-08-02 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-02 08:55 . 2008-08-02 08:55 <DIR> d-------- C:\Documents and Settings\Family\Application Data\MSN6
2008-08-02 08:55 . 2008-08-02 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-07-30 11:19 . 2008-07-30 11:19 <DIR> d-------- C:\fsaua.data
2008-07-26 20:32 . 2008-07-26 20:34 <DIR> d-------- C:\Documents and Settings\Family\Application Data\ROBLOX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 14:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-21 14:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-18 19:19 --------- d-----w C:\Documents and Settings\Family\Application Data\Apple Computer
2008-08-09 22:21 23 ----a-w C:\Documents and Settings\Family\jagex_runescape_preferences.dat
2008-08-07 20:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-07 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-04 17:02 --------- d-----w C:\Program Files\iTunes
2008-08-02 17:26 --------- d-----w C:\Program Files\Java
2008-07-27 00:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ROBLOX
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-17 12:07 --------- d-----w C:\Documents and Settings\Family\Application Data\Atari
2008-07-16 22:07 --------- d-----w C:\Program Files\Bonjour
2008-07-16 22:03 --------- d-----w C:\Program Files\Safari
2008-07-10 13:06 --------- d-----w C:\Program Files\Yahoo!
2008-07-10 13:02 --------- d-----w C:\Program Files\LEGO Company
2008-07-09 20:46 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-07-09 20:46 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-09 20:46 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-09 20:46 158,456 ------w C:\WINDOWS\system32\pxwma.dll
2008-07-09 20:39 --------- d-----w C:\Documents and Settings\Family\Application Data\Ahead
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 20:13 --------- d-----w C:\Documents and Settings\Family\Application Data\VersionTracker Pro
2008-06-30 22:22 --------- d-----w C:\Documents and Settings\Family\Application Data\Yahoo!
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-09-26 04:58 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-10-01 19:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 12:24 1694208]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-08-21 11:44 208946]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-17 23:29 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
S2 0252061219333054mcinstcleanup;McAfee Application Installer Cleanup (0252061219333054);C:\WINDOWS\TEMP\025206~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 XDva076;XDva076;C:\WINDOWS\system32\XDva076.sys []
S3 XDva092;XDva092;C:\WINDOWS\system32\XDva092.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-01-22 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1193076159.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]

2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-07 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.pimpmysearch.com/home.html?gname=TUBBY
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.google.ca/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;*.local
O18 -: Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\McAfee\SITEAD~1\McIEPlg.dll

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll

O16 -: {8E27C92B-1264-101C-8A2F-040224009C02} - hxxp://selfhelpworks.com/mscal.ocx
C:\WINDOWS\Downloaded Program Files\mscal.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 15:59:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-22 16:00:57
ComboFix-quarantined-files.txt 2008-08-22 20:00:50

Pre-Run: 171,231,817,728 bytes free
Post-Run: 171,482,669,056 bytes free

183 --- E O F --- 2008-08-22 13:25:23


I have re-enabled my McAfee now so if I need to disable it again please tell me!
Thanks so much!


#12 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 22 August 2008 - 08:48 PM

Hi again, can you tell me if you're still having any problems with the computer?

#13 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 23 August 2008 - 08:52 AM

The only problem is it still seems to be running kind of slow. Othe than that, I haven't heard again from my ISP so i'm hoping that we got rid of whatever was causing the remote spamming. I take it the Combofix didn't show anything alarming?

#14 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 23 August 2008 - 10:10 AM

It's likely that you had already gotten rid of everything on your own. I think those emails come out sometimes after you get cleaned because it was still spamming within a certain period they were looking at.

There's really nothing I've seen to be concerned about and we've done quite a bit of digging. So, I would suggest reading this prevention page which has lots of information and tips on how to prevent this in the future.
If you want to improve speed/system performance after malware removal, take a look here.
Also, it's a good idea to make sure your programs are up-to-date because older versions may contain security leaks. To find out which programs need to be updated, you can run the Secunia Software Inspector Scan.

Let me know if you have any more questions.

#15 always_forever

always_forever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 23 August 2008 - 10:32 AM

Thank you so much for all your help! I will definitely read everything you've suggested and see what else I can do. You've been a huge help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users