Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran Combofix With Disastrous Results, And Pos. Unknown Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 Quixotic1

Quixotic1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 08 September 2008 - 02:11 PM

Hi...

I was asked to post my Hijack This log in this forum.

Here is what got me here.

Last night, I tried to run Combofix.exe on my own, after reading up on usage. I shouldn't have, but I did. According the instructions, it suggested that I turn off my antivirus and other scanners. I have Symantec Endpoint and Ad-Watch running, and I closed or disabled these. I also have ZoneAlarm Free running. Though the instructions said to turn off this, I didn't feel comfortable, so I left it running.

I launched Combofix, and everything seemed to run smooth, but at the beginning, I got a ZoneAlarm request for ping.exe... I assumed this was for Combofix, so I let it go.

Then as Combofix was finishing, I got a request through ZoneAlarm for ipconfig.exe. Again, I assumed this was for Combofix, and I let it go. Just as my desktop was coming back, and moments before my Combofix log was opened in Notepad, Ad-Watch launched itself, and immediately caught a program psexesvc.exe. It said the program was a "Trapped Suspicous Process", and it stopped the process.

Immediately following this, I received nearly 200 registry change alerts from Ad-Watch's RegShield. Most of these changes were in HKLM\S\MS\W\CV\Run, HKCU\S\MS\IE\Main, etc. These seemed very bad to me, so I blocked each and every one. I have a log from Adwatch of these attempts should you be interested.

I finished up blocking those changes, and reviewed my Combofix log. It seemed ok to me. I have a copy of this log, too, should you desire to see it.

However, I closed the log, and then tried to get online... I was unable to start any executable file, including IE. It gave me an error message, but sadly, I didn't write it down, I'm sorry. But, essentially, it said that there were problems in the registry and that something needed to be fixed so that executables could be launched.

I couldn't do anything. I couldn't even right click on My Computer, Properties, to bring up the system restore... which is what I deemed necessary at this point.

I shut down, rebooted, and launched into Vista's recovery, and was able to restore the point saved by Combofix at the start. This is where I am now. Everything seems to be ok to me.

BUT...

I had tried to post a question here last night about whether this psexesvc.exe file was part of Combofix, and whether ipconfig should have requested internet access at the end of the Combofix process. This post got moved to 'Am I infected...' and I was instructed to follow the 9 steps on your site's Preparation Guide for use before posting a HijackThis Log before posting my new Hijack This log.

One of these steps was to run an online scanner called Housecall Anti Virus... When I tried to start that, I got a warning that ipconfig wanted internet access... This didn't seem right to me. The warning didn't come from Zonealarm this time, but seemed to come from Windows or IE itself. It wasn't clear. I didn't feel this was right, so I closed that online scanner, and instead used the one from BitDefender.

I have run scans by the following, with the following results:

Symantec Endpoint - Nothing Found
Spybot S&D - nothing found
Malwarebytes' Anti-Malware: Nothing Found
Kaspersky Online Scanner: Nothing Found
BitDefender Online Scanner, per instructions: Nothing Found
McAfee Stinger, per instructions: Nothing found
Ad-Aware - five things found:
C:\combofix\hidec.exe
C:\combofix\nircmd.com
c:\windows\nircmd.exe
C:\HP\BIN\KillIt.exe (came with the computer, and is restored each time I use HP's full system restore.)
C:\HP\HPQWare\BTBHost\SetACL.exe (came with the computer, and is restored each time I use HP's full system restore.)

I did not clean any of these. The two from HP I think are supposed to be there. As for the Combofix items, I assume they're ok, too.

I cannot find any trace of psexesvc.exe on my system.

Below is my latest Hijack This log, as per your instructions.

Please tell me what's going on. What is psexesvc.exe? Was it supposed to run as part of Combofix? And why am I getting these requests for ipconfig now? Also, the registy changes that I blocked, were those supposed to be things that Combofix was putting back? I do have all my logs for these issues... combofix, adwatch, etc. So, if you want to review any of that, it's here. I'm a little spooked to run Combofix ever again. :thumbsup:

I look forward to your response. And, I'm really sorry I ran Combofix without your help and instruction. I won't make that mistake again.

Thanks,

Dave



Hijack This log to follow ----->


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:19 AM, on 2008-09-08
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12855 bytes

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 19 September 2008 - 07:22 PM

Hello, Quixotic1.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Quixotic1

Quixotic1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 20 September 2008 - 01:27 AM

Billy:

Hi. Thanks for getting to my issue...

I'm still mostly interested in getting my original questions answered about psexesvc.exe and the ipconfig.exe access attempts through Zone Alarm as a result of running Combofix on my own.

But...

Some things have changed in the past week... I've tried to run as many different scans as I can. I haven't found much, but my computer has done some unexpected things at times. At the end of an ESET online scan last night, the scan failed (I didn't launch as Admin) but suddenly IE tried to open my webmail account, and brought up my Roboform requesting my main password to for Roboform to enter my webmail account... That didn't make me feel too good. Thinking it was something I did in the last day or so, I tried to do a System restore back to the restore point created by Combofix when I first ran it originally... and now, none of my system restore points will restore. I repeatedly get the error that there was an 'unspecified error.'

To get around that... I've done everything I could find out about it... tried it from Safe Mode, from Safe Mode Command Prompt, tried sfc /scannow, and ran disk check. Nothing helped. I uninstalled some programs that I had installed in the past few days... but that didn't help either.

I'm curious whether this SR problem is due to me screwing with my system date the other day, for about a half hour... or, a virus... I dunno...

I am fairly adept with computers, I used to be a successful freelance computer consultant before I was disabled in 1999. So, I knew a lot then... know more than most now, but probably just enough to get myself in trouble now... as you can see from my problems running Combofix described above. I only tell you this, just so you know that I'm not your average newbie... nor someone unfamiliar with registry, etc. So... I hope that I can be a little easier to work with than most. :thumbsup:

Below is my latest HJT log, ran per your request. I don't see much... There are some references in it still from two of the programs I have uninstalled... DUMeter is no longer installed, but still being called at startup, and I also installed and uninstalled PowerDVD in the interim time... you can see a reference to it near the bottom of the log, as File Missing... That may in fact be a weird artifact from my tries at System Restore during the past 24 hours, too.. Who knows.

The last scan I did through ESET actually spotted SmitfraudFix.exe as a bad file, I don't recall it's specific virus name, but it started with "not-a-virus" which seemed sorta strange to detect it as a virus, then call it "not a virus"... I haven't run SmitfraudFix on my system, just dl'd from this site for possible use in the future. Another file I had on my system was caught by BitDefender online scanner as being infected with Crypt.win32 virus, ASPack v2.12... I dunno, I couldn't find much info about symptoms of this virus, or if it's even just a FP...

But, forward we go... I look forward to working with you.

Thanks so much for getting to me... I know you guys are busy as hell..

-Dave

HJT Log to follow ----->



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:43 PM, on 2008-09-19
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DU Meter] C:\Windows\system32\DUMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12869 bytes

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 21 September 2008 - 12:18 AM

Hello, Quixotic1.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
This is precisely the reason ComboFix has the "DANGER!!" tag. It is also why CF instructions state that anti-malware programs need to be disabled before running it.
Unforutnately I am unable to release any information regarding combofix in this r6egard. Best I can do is fix you up.

These tools rely on other tools (such as psexec and psexesvc.exe which can be used for both good and bad things. A/V programs have no way to tell the difference between good and bad uses of such programs, and therefore they alert the user.

Please don't run CF in the future unless directed to do so by a trained malware analyst.

That log looks clean to me. Since you've already tried a plethora of onlinescans on this thing, I'd like to get a second opinion to make sure things are completely kosher.

We need to run a system scan with Dr. Web CureIt
  • Please download DrWeb-CureIt & save it to your desktop.
    DO NOT perform a scan yet.
  • Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please include the following:
  • Dr.Web's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Quixotic1

Quixotic1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 21 September 2008 - 10:39 PM

Billy:

Well, the instructions seemed to be slightly outdated, but I was able to muddle through and do what was asked. Below you will find my log. I added a C/R between each detection. Some curious findings...

Here's my ideas on what was found.

1) This RegUBP2b-Dave.reg was found inside a Spybot S&D Directory... is this a FP? And if so, it got deleted... per your instructions.
2) Then again, this psexesvc.exe thing showed it's ugly head in Combofix. This was moved to the Quarantine automatically without any interaction from me, and I have confirmed that Combofix is no longer in the folder on my desktop.
3) Again, SmitfraudFix came up with 'baddies' again. This was moved to the Quarantine automatically, and I have confirmed that SmitfraudFix is no longer in the folder on my desktop. Please recall that I never did run this program, I only dl'd it.
4) TrojDemo2.exe was a 'program' that is downloadable from the BufferZone program website. It is a program to test or 'prove' that BufferZone is doing what it is supposed to do. BufferZone is a sandbox program, which I installed briefly, disliked, and promptly uninstalled. Still, I had the installer and the test file on hand. This file I moved to the Quarantine after the scan.
5) Combofix again... this time, though, since the program had done the move to the quarantine automatically during the scan, without asking me, looks like it redetected its own moved file... Silly.
6) SmitfraudFix again. Same deal... The program moved it during the scan, and then redetected in it's own quarantine.
7) At some point while I was waiting for help, I found instructions for using SDFix on the BleepingComputer website. I did install it. And, I tried to use it, carefully following the instructions, but it never ran. Yes, I was in Safe Mode. I have no idea why it didn't run. This I moved to the quarantine after the scan, and confirmed that it is there.
8) OK... this is the silliest thing... The program apparently still uses 'Documents and Settings' even though this is Vista. The first detection of TrojDemo2 was in 'D&S'... the second was found in "Users". When doing the 'move' part, after the program finished the scan, I moved the first one listed, which was found under "Documents and Settings"... after I did this, immediately, the second detection reported that it couldn't find the file anymore... Well, yeah, I already quarantined it... This program seems not to know that Vista doesn't exactly 'use' "Docs and Sets" - at least not in the traditional sense.

So, as far as I can see... there was nothing found of much interest... except maybe the first thing... the RegUBP2b-Dave.reg... But, it sure seems to me that that ought to be an FP... I'll leave that up to you to determine. Of course, the file has been deleted, and now I have no idea what was in it, or what it was exactly... or if even Spybot will run anymore...

I look forward to your next reply and your next ideas...

Thank you so much for your continuing help with this.

-Dave




Beginning of Dr. Web's Log ---->

RegUBP2b-Dave.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Dave\Desktop\CF Fix\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Dave\Desktop\CF Fix;Archive contains infected objects;Moved.;

SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Dave\Desktop\CF Fix\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Dave\Desktop\CF Fix\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Documents and Settings\Dave\Desktop\CF Fix;Archive contains infected objects;Moved.;

TrojDemo2.exe;C:\Documents and Settings\Dave\Desktop\Vista Reinstall\BufferZone Pro v3;Tool.Securitest.origin;Moved.;

ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Dave\DoctorWeb\Quarantine\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Dave\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;

SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Dave\DoctorWeb\Quarantine\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Dave\DoctorWeb\Quarantine\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Documents and Settings\Dave\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;

Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;

TrojDemo2.exe;C:\Users\Dave\Desktop\Vista Reinstall\BufferZone Pro v3;Tool.Securitest.origin;Invalid path to file ;

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 22 September 2008 - 05:25 PM

Hello, Quixotic1.
Unfortunately I am unable to divulge any particulars about ComboFix. I'm sorry. At this point though, so long as you aren't having problems, I'd not worry about it.

Please go ahead and delete CureIt from your machine now :)

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start -> Control Panel -> System and Maintenance -> System.
  • Select "System Protection" in the upper left hand corner.
  • Click the button marked "Create" in the bottom of the window.
  • Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Open Vista's Searchbox (on your start menu) and type in "cleanmgr.exe"
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up", and then "Delete" in the "System Restore and Shadow Copies" section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Quixotic1

Quixotic1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 23 September 2008 - 12:45 PM

Billy:

Well... I think that pretty much covers everything, particularly if my questions about the strange actions during Combofix were normal... BUT...

Here are a few remaining questions that haven't been answered, and I believe are Combofix neutral:

1) You may recall that I tried to use the online scanner from Housecall Anti Virus... When I tried to start that, I got a warning that ipconfig wanted internet access to begin downloading the program and definitions... and that didn't seem right to me. The warning didn't come from Zonealarm, but seemed to come from Windows or IE itself. It wasn't clear. It was a window with deep yellow at the top of the box. I didn't feel this was right, so I closed that online scanner, and instead used the one from BitDefender. I haven't tried it since, but, I assume I will still get the same request. Is this normal... (ie, does this happen on your Vista setup?)

2) Using CureIt, the first detection listed was "RegUBP2b-Dave.reg" found inside a Spybot S&D Directory... was this a FP? It was deleted. I've looked at the other files in this directory, and they mostly appeared to be short files exporting small segments of my registry to this Snapshot2 directory. Will Spybot run correctly without this file? And, what about the 'virus' it did detect... Trojan.StartPage.1505.

3) I have followed all of the rest of your directions in your last post... Now that I have only the newly created Restore Point, do you think that my Restore Point failure issues are behind me? Do you have any idea what might have caused a perfectly good and working restore system to begin to fail, and not restore anymore?


I suppose beyond those three questions, I think we have pretty much done all that can be done. However...

I did experience one instance yesterday where again an open IE instance that I had in the background, seemed to attempt to open my main Webmail account, bringing up my Roboform login/password filler. Fortunately, I wasn't logged into Roboform, and IE couldn't redirect to my email website. I've never seen this activity before the last two or three weeks. Any ideas what might cause this?

I have read that it is shockingly hard to catch or stop Keyloggers. Do you have any advice on how to combat or catch keyloggers on my system?

Lastly, do you have any experience with Sandboxie? Is it as completely safe as they suggest? I have had the experience running a known infected file inside the sandbox, and AdWatch picked up and blocked the activity anyway. Also, in a similar case, running a known problem program in the sandbox, Symantec Endpoint AV picked up the infected file, and deleted it. I thought that the sandbox kept these problems from getting outside the sandbox, and my expectation from this would be that my 'outside' protections would never see the 'bad' activities. Comments?


And, so, with those remaining questions, I guess we are nearing the end. I do want to thank you so much for reviewing my information with me, and helping 'fix' my mistakes... I certainly learned a lesson about running a program that I don't fully understand... namely Combofix. And, I shall never run it again without the aid of you guys at Bleeping Computer. Thank you so much for your help. It has been greatly appreciated.

Dave

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 23 September 2008 - 03:47 PM

1) You may recall that I tried to use the online scanner from Housecall Anti Virus... When I tried to start that, I got a warning that ipconfig wanted internet access to begin downloading the program and definitions... and that didn't seem right to me. The warning didn't come from Zonealarm, but seemed to come from Windows or IE itself. It wasn't clear. It was a window with deep yellow at the top of the box. I didn't feel this was right, so I closed that online scanner, and instead used the one from BitDefender. I haven't tried it since, but, I assume I will still get the same request. Is this normal... (ie, does this happen on your Vista setup?)

IPconfig should not be autostarting, and should not be asking for internet access. However, it is no longer autostarting on your system.

2) Using CureIt, the first detection listed was "RegUBP2b-Dave.reg" found inside a Spybot S&D Directory... was this a FP? It was deleted. I've looked at the other files in this directory, and they mostly appeared to be short files exporting small segments of my registry to this Snapshot2 directory. Will Spybot run correctly without this file? And, what about the 'virus' it did detect... Trojan.StartPage.1505.

This was not a false positive. It was data that Spybot had already dealt with and moved into it's quarantine. Either that or it detected Spybot's definitions. Either way, not something you need to worry about :)

3) I have followed all of the rest of your directions in your last post... Now that I have only the newly created Restore Point, do you think that my Restore Point failure issues are behind me? Do you have any idea what might have caused a perfectly good and working restore system to begin to fail, and not restore anymore?

No I honestly don't know :thumbsup:

I did experience one instance yesterday where again an open IE instance that I had in the background, seemed to attempt to open my main Webmail account, bringing up my Roboform login/password filler. Fortunately, I wasn't logged into Roboform, and IE couldn't redirect to my email website. I've never seen this activity before the last two or three weeks. Any ideas what might cause this?

I'm not sure, given that I've never used RoboForm myself. No infection which would cause such behavior appears to be present on your system, however.

I have read that it is shockingly hard to catch or stop Keyloggers. Do you have any advice on how to combat or catch keyloggers on my system?

No, they are not hard to detect. A HJT log is enough to detect non-malicious keyloggers (Such as Family Keylogger), and an anti-virus or anti-malware program will detect and remove malicious ones. None were present on your system.

Lastly, do you have any experience with Sandboxie? Is it as completely safe as they suggest? I have had the experience running a known infected file inside the sandbox, and AdWatch picked up and blocked the activity anyway. Also, in a similar case, running a known problem program in the sandbox, Symantec Endpoint AV picked up the infected file, and deleted it. I thought that the sandbox kept these problems from getting outside the sandbox, and my expectation from this would be that my 'outside' protections would never see the 'bad' activities. Comments?

I've honestly never even heard of that program. Rather than a "sandbox", if you want a truely sandboxed setup, you need to go with a full blown hypervisor such as VMWare, Virtual PC, Virtual Box, or Parellels.

And, so, with those remaining questions, I guess we are nearing the end. I do want to thank you so much for reviewing my information with me, and helping 'fix' my mistakes... I certainly learned a lesson about running a program that I don't fully understand... namely Combofix. And, I shall never run it again without the aid of you guys at Bleeping Computer. Thank you so much for your help. It has been greatly appreciated.


You are quite welcome :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 24 September 2008 - 07:54 PM

Hello, Quixotic1.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 26 September 2008 - 03:46 PM

User returned; topic reopened. Please post any additional problems below.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Quixotic1

Quixotic1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 26 September 2008 - 07:14 PM

Attached File  ipconfig.jpg   168.15KB   14 downloads

Billy:

Can I assume you read my full note about the ipconfig issue with Housecall online scanner? If so, then I am attaching the screenshot for you to see what I am getting. It seems awful curious to me... and I'm very uncomfortable with it. And, if you didn't read it all, let me know, and I'll summarize it again... or see if there's a copy somewhere that got saved on my end.

Thanks for re-opening. I appreciate your continued support.

Dave

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 27 September 2008 - 12:00 AM

Housecall needs to be run when Internet Explorer is "Run As Administrator" and therefore protected mode will be off. This will prevent that message from appearing.

You can verify the legitimacy of your ipconfig using a service such as VirusTotal (http://virustotal.com )

If IPConfig wanted access on it's own that would be bad. But in this case housecall is relying on ipconfig to provide it information.

I would suggest more accurate scanners such as BitDefender, Kaspersky, ESET, or FSecure anyway. I have personally had problems where A: It would miss items and B: it would simply crash or hang when it attempted to remove anything.

But if it works for you by all means use it.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Quixotic1

Quixotic1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 28 September 2008 - 12:48 PM

Billy:

OK... So, if I had run as admin, I would have never seen that message... ok... that makes sense. Makes me feel a little better. I must have missed that requirement when reading through their setup.

Normally, if I was just out doing things, and something like me going to Housecall just for giggles one day, and it happened to call ipconfig, I would ordinarily recognize that it was in response to me starting the scanner. BUT, since I also had a call to ipconfig through my ZoneAlarm during all that weird stuff that happened to me while running Combofix at the beginning of all this... and me thinking that something had infected me at the same time... well... it was just too many times, too close together, for ipconfig to be called... I've used ipconfig, and it's predecessors for years... but have NEVER seen another program call it on it's own, and have it ask for access through my firewall. Guess I'm just being too careful. And quite a bit skittish. (Before this Combofix problem, in early September, I was forced in August to flatten and reinstall from scratch due to viral activities that I was unable to get any scanner to catch... only its activities... but no name for it. I still have that file safely stored away for later, to upload to some virus scan company for review... but, then this hit me, and time just seems to keep slipping away.)

As for HC's 'consistency', I only chose them as they were the first online scanner suggested on BC's own FAQ titled, by memory, 'What to do before posting your Hijack This log on BC'. I've been using BitDefender and ESET, and have been plenty happy with them.

Regarding using virustotal to scan ipconfig... well, that would be fine if I thought ipconfig was infected, but it wouldn't do anything if some malware was calling it to be used for malicious purposes. As far as I know, there's no way to test whether a 'safe' uninfected program is being used for bad reasons. (Unless some resident scanner somehow sees it as part of a pattern of malicious calls.) But, yes, I've used virustotal, as well as a few other uploading scanners.

So, I do think that you can now safely close this topic. You have answered my questions, and you have me feeling pretty clean and safe... and a lot smarter... due to making a few mistakes, and then watching you help me fix them. I appreciate all that you have done for me... And, I really appreciate that this whole service from BC is available to the public at large. You guys provide a wonderful service.

Thank you so much.

Dave

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:00 AM

Posted 28 September 2008 - 03:24 PM

Hello, Quixotic1.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users