Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/.prx/smitfraud/Tinybar.c


  • This topic is locked This topic is locked
8 replies to this topic

#1 Zombie12

Zombie12

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 16 February 2009 - 10:39 PM

Hi,
My spybot recently detected four viruses

Virtumonde
Virtumonde.prx
Smitfraud
Tinybar.c

Everytime I fix it, it shows the green tickmark claiming it has fixed, but when I run Spybot again - it shows the viruses again. I have also tried to clean up using Spybot in safemode and restarted without sucessess.

I also have Mcafee security center, but it has not detected any of the malawares.

please help., I have already backed up all my files...Thanks


DDS (Ver_09-02-01.01) - NTFSx86
Run by Bagya at 21:19:10.54 on Mon 02/16/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.429 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Bagya\LOCALS~1\Temp\clclean.0001
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bagya\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSEARCH PAGE = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {b6b21f4e-16bd-e048-4ec4-46a1e647fb02}: {20bf746e-1a64-4ce4-840e-db61e4f12b6b} - c:\windows\system32\jsbvhh.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\khffgGWn.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {c25fa3d2-edee-4a7b-af8c-d4f6765d3c8c} - c:\windows\system32\tuvSmkIA.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~1\data\xtras\mssysmgr.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB166] command /c del "c:\windows\system32\gayfhygd.ini"
uRunOnce: [SpybotDeletingD3122] cmd /c del "c:\windows\system32\gayfhygd.ini"
uRunOnce: [SpybotDeletingB277] command /c del "c:\windows\system32\dgyhfyag.dll_old"
uRunOnce: [SpybotDeletingD9304] cmd /c del "c:\windows\system32\dgyhfyag.dll_old"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [SpybotDeletingA6359] command /c del "c:\windows\system32\gayfhygd.ini"
mRunOnce: [SpybotDeletingC3786] cmd /c del "c:\windows\system32\gayfhygd.ini"
mRunOnce: [SpybotDeletingA8495] command /c del "c:\windows\system32\dgyhfyag.dll_old"
mRunOnce: [SpybotDeletingC7452] cmd /c del "c:\windows\system32\dgyhfyag.dll_old"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: khffgGWn - khffgGWn.dll
AppInit_DLLs: uindqo.dll rojzdw.dll uofggg.dll jsbvhh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\khffgGWn.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvSmkIA

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bagya\applic~1\mozilla\firefox\profiles\bxsuxznr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-11-1 201320]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-30 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-22 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-11-1 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-11-1 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-11-1 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-11-1 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-11-1 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-11-1 33832]

=============== Created Last 30 ================

2009-02-16 21:07 34,171 a--sh--- c:\windows\system32\AIkmSvut.ini2
2009-02-16 20:49 129,024 a------- c:\windows\system32\jsbvhh.dll
2009-02-16 20:49 129,024 a------- c:\windows\system32\ljoddotl.dll
2009-02-16 20:47 72,704 -------- c:\windows\system32\dgyhfyag.dll_old
2009-02-16 20:45 34,171 a--sh--- c:\windows\system32\AIkmSvut.ini
2009-02-16 20:45 302,592 a------- c:\windows\system32\tuvSmkIA.dll
2009-02-16 20:31 161,792 a------- c:\windows\SWREG.exe
2009-02-16 20:31 98,816 a------- c:\windows\sed.exe
2009-02-14 17:06 36,352 a------- c:\windows\system32\khffgGWn.dll

==================== Find3M ====================

2009-01-05 16:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-30 08:47 79,019 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 11:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2006-11-04 18:25 88 ---shr-- c:\windows\system32\7500BA5090.sys
2006-11-04 18:25 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:21:38.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 17 February 2009 - 03:40 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Zombie12

Zombie12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 17 February 2009 - 07:53 PM

Hi,
I disabled teatime per your instructions and ran resetteatimer.bat. I ran the combofix and the log is below. (BTW - I had previously run combofix before contacting this forum, not sure if the log shows it but I wanted to let you know)
Thanks for the help.

ComboFix 09-02-15.01 - Bagya 2009-02-17 18:30:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.453 [GMT -6:00]
Running from: c:\documents and settings\Bagya\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AIkmSvut.ini
c:\windows\system32\AIkmSvut.ini2
c:\windows\system32\jsbvhh.dll
c:\windows\system32\jwvvnqti.dll
c:\windows\system32\ljoddotl.dll
c:\windows\system32\qciddu.dll
c:\windows\system32\redpydqf.dll
c:\windows\system32\tuvSmkIA.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-17 18:28 . 2009-02-17 18:28 <DIR> d-------- C:\32788R22FWJFW
2009-02-16 11:41 . 2006-10-30 16:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-16 11:41 . 2006-12-27 16:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2009-02-16 11:41 . 2009-02-16 11:41 <DIR> d-------- c:\documents and settings\Administrator
2009-02-14 17:06 . 2009-02-14 17:06 36,352 --a------ c:\windows\system32\khffgGWn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 23:34 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-15 19:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-14 14:39 --------- d-----w c:\program files\McAfee
2009-01-21 17:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-07-04 16:44 81,920 ----a-w c:\documents and settings\Shaji\Application Data\ezpinst.exe
2008-07-04 16:44 47,360 ----a-w c:\documents and settings\Shaji\Application Data\pcouffin.sys
2008-07-04 13:45 284 ----a-w c:\documents and settings\Shaji\Application Data\ViewerApp.dat
2006-11-05 00:25 88 --sh--r c:\windows\system32\7500BA5090.sys
2006-11-05 00:25 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_20.44.26.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-17 02:19:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-17 23:37:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-17 02:19:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-17 23:37:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-14 17:06 36352 --a------ c:\windows\system32\khffgGWn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-14 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 212992]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [BU]
"xloadnet"="c:\program files\xloadnet\xloadnet.exe" [BU]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-30 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\khffgGWn.dll" [2009-02-14 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuvwvs]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffgGWn]
2009-02-14 17:06 36352 c:\windows\system32\khffgGWn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qciddu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Shaji\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-30 206096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2007-05-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{18ACB87B-2022-4846-8918-D21375DC0CEE} - (no file)
BHO-{2C535F8D-7E8C-48D7-A06D-751AB6D65FD1} - (no file)
BHO-{3111DA81-47F4-492D-B282-0ADE59DA1B85} - (no file)
BHO-{60f999c6-42e5-4005-9a42-53544ce77437} - c:\windows\system32\qciddu.dll
BHO-{69EB3CE4-2E36-49FB-AFC5-02DEB314B606} - (no file)
BHO-{729FB62C-05E5-4D18-95EE-FA37D4D5FADE} - c:\windows\system32\tuvSmkIA.dll
BHO-{9D6295E2-156E-4C4F-9C46-BFF382E30578} - (no file)
BHO-{B52F7A9B-E850-4564-9C15-6B416143A246} - (no file)
BHO-{BCCC611C-0E8C-4D22-8414-81F53BE84278} - (no file)
BHO-{CD14CF48-3DAD-4F8E-B6D0-7AA4912DDEF5} - (no file)
BHO-{CFDEF9B6-E27A-4305-A30A-10BA723CB377} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSEARCH PAGE = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Bagya\Application Data\Mozilla\Firefox\Profiles\bxsuxznr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 18:39:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\khffgGWn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Bagya\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-17 18:44:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 00:44:11

Pre-Run: 93,942,214,656 bytes free
Post-Run: 93,927,141,376 bytes free

196 --- E O F --- 2009-02-11 09:04:08

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 18 February 2009 - 05:00 AM

Hi,

I see you didn't allow Combofix to install the Recovery Console. I cannot stress enough how important it is to have it installed. So I suggest you install it.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\khffgGWn.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xloadnet"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuvwvs]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffgGWn]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Zombie12

Zombie12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 18 February 2009 - 07:27 PM

Hi,
Thanks, I ran combofix with the additional script you provided.This time I installed the recovery console.

Here is the combofix log

ComboFix 09-02-15.01 - Bagya 2009-02-18 18:03:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.594 [GMT -6:00]
Running from: c:\documents and settings\Bagya\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bagya\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\khffgGWn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\khffgGWn.dll
c:\windows\system32\opnmLdCS.dll
c:\windows\system32\SCdLmnpo.ini
c:\windows\system32\SCdLmnpo.ini2

.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-16 11:41 . 2006-10-30 16:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-16 11:41 . 2006-12-27 16:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2009-02-16 11:41 . 2009-02-16 11:41 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 23:34 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-15 19:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-14 14:39 --------- d-----w c:\program files\McAfee
2009-01-21 17:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-07-04 16:44 81,920 ----a-w c:\documents and settings\Shaji\Application Data\ezpinst.exe
2008-07-04 16:44 47,360 ----a-w c:\documents and settings\Shaji\Application Data\pcouffin.sys
2008-07-04 13:45 284 ----a-w c:\documents and settings\Shaji\Application Data\ViewerApp.dat
2006-11-05 00:25 88 --sh--r c:\windows\system32\7500BA5090.sys
2006-11-05 00:25 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_20.44.26.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-17 02:19:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-19 00:03:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-17 02:19:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 00:03:57 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-14 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 212992]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [BU]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-30 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Shaji\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-30 206096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2007-05-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4E432011-F062-4E0B-A81D-DD9ABB2D1382} - c:\windows\system32\opnmLdCS.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSEARCH PAGE = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Bagya\Application Data\Mozilla\Firefox\Profiles\bxsuxznr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 18:10:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-18 18:14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 00:14:23
ComboFix2.txt 2009-02-18 00:44:18

Pre-Run: 93,732,249,600 bytes free
Post-Run: 93,870,465,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(4)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

175 --- E O F --- 2009-02-11 09:04:08

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 18 February 2009 - 07:42 PM

Hi,

This looks OK again...

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Zombie12

Zombie12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 19 February 2009 - 07:16 PM

Hi,
Thanks for all the help. I have installed the updated version of Java and also uninstalled combofix. Everything seems to be working well.

Thanks again.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 20 February 2009 - 04:54 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 21 February 2009 - 06:37 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users