Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

followup to Topic 204059.html #entry 1157967


  • This topic is locked This topic is locked
7 replies to this topic

#1 morgansfind

morgansfind

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 19 March 2009 - 05:23 PM

Here is the combofix log. Thanks.

ComboFix 09-03-18.01 - morgan 2009-03-18 17:07:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.550 [GMT -7:00]
Running from: c:\documents and settings\morgan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\morgan\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

FILE ::
c:\windows\svcho.exe
c:\windows\syssvc.exe
c:\windows\system32\drivers\UACmnetjecx.sys
c:\windows\system32\UACdpfjwcdy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACmnetjecx.sys

.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-17 17:23 . 2009-03-17 17:23 <DIR> d-------- c:\program files\Microsoft
2009-03-17 17:18 . 2009-03-17 17:20 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-17 17:10 . 2009-03-17 17:10 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-01 22:15 . 2009-03-18 17:42 7,693 --a------ c:\windows\system32\Config.MPF
2009-03-01 21:54 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-01 21:54 . 2009-01-09 13:03 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-01 21:54 . 2009-01-09 13:03 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-01 21:54 . 2009-01-09 13:03 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-01 21:52 . 2009-03-01 21:53 <DIR> d-------- c:\program files\McAfee.com
2009-03-01 21:52 . 2009-03-17 17:01 <DIR> d-------- c:\program files\McAfee
2009-03-01 21:52 . 2009-03-01 21:54 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-01 21:50 . 2009-01-09 13:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-02-20 18:10 . 2009-02-20 18:10 <DIR> d-------- c:\program files\TechTracker
2009-02-20 18:10 . 2009-02-20 21:41 <DIR> d-------- c:\documents and settings\morgan\Application Data\VersionTracker Pro
2009-02-20 14:59 . 2009-02-20 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Auslogics
2009-02-20 14:19 . 2009-02-20 14:19 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-02-20 13:30 . 2009-02-20 13:30 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\MYPOINTS
2009-02-20 13:29 . 2009-02-20 13:29 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 05:14 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-18 00:49 --------- d--h--w c:\documents and settings\morgan\Application Data\Move Networks
2009-03-18 00:20 --------- d-----w c:\program files\Java
2009-03-05 02:21 --------- d-----w c:\program files\Google
2009-03-02 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-02 05:00 --------- d-----w c:\program files\SiteAdvisor
2009-02-20 21:10 --------- d-----w c:\program files\mypoints
2009-02-19 06:14 --------- d-----w c:\documents and settings\morgan\Application Data\SUPERAntiSpyware.com
2009-02-19 06:13 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-19 06:02 --------- d-----w c:\program files\Graboid
2009-02-19 06:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 05:58 --------- d-----w c:\program files\Corel
2009-02-19 05:58 --------- d-----w c:\documents and settings\morgan\Application Data\Corel
2009-02-17 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-17 02:53 --------- d-----w c:\documents and settings\morgan\Application Data\Malwarebytes
2009-02-17 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 02:23 --------- d-----w c:\documents and settings\morgan\Application Data\McAfee
2009-02-16 20:15 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-16 19:51 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-16 19:51 --------- d-----w c:\documents and settings\morgan\Application Data\Symantec
2009-02-16 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-29 01:45 --------- d-----w c:\documents and settings\morgan\Application Data\GoodSync
2007-10-03 21:59 779,312 ----a-w c:\program files\MoveMediaPlayer_07074039.exe
2007-09-22 20:46 24,341,879 ----a-w c:\program files\Graboid Beta Setup.exe
2007-04-30 03:12 774,144 -c--a-w c:\program files\RngInterstitial.dll
2007-04-28 17:19 5,635,184 -c--a-w c:\program files\DingInstall-1.05.zip
2007-01-23 01:59 251 -c--a-w c:\program files\wt3d.ini
2008-08-29 00:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-03-18_16.55.08.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-19 00:17:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_26c.dat
+ 2009-03-19 00:16:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_534.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-01-19 160592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-17 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-05-26 217088]
Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-08-21 391680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-01 210216]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S0 nlhlvyfu;nlhlvyfu;c:\windows\system32\drivers\yfvcvexy.sys --> c:\windows\system32\drivers\yfvcvexy.sys [?]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [2007-01-10 386560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-02 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 17:42:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\8* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\program files\Common Files\Intellisync\PushSyncService\PushSyncService.exe
.
**************************************************************************
.
Completion time: 2009-03-18 17:48:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-19 00:48:13
ComboFix2.txt 2009-03-18 23:57:29
ComboFix3.txt 2009-03-02 04:14:28

Pre-Run: 22,228,983,808 bytes free
Post-Run: 22,210,252,800 bytes free

210 --- E O F --- 2009-03-14 19:50:04

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:45 AM

Posted 19 March 2009 - 05:41 PM

Hi,

Not sure where you got the instructions to create a CFScript, because I didn't post it in your previous thread here:
http://www.bleepingcomputer.com/forums/ind...p;#entry1139397
So please let me know who gave you these instructions for the cfscript, because this is really confusing.
Thanks
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 morgansfind

morgansfind
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 26 March 2009 - 07:57 PM

hi,

I don't know what CFScript is. I'm so sorry, tell me what to do, I messed up. :thumbup2:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:45 AM

Posted 27 March 2009 - 02:02 AM

Well, you certainly created and used a Cfscript, thats for sure.
Did you receive help from anyone else? Or did anyone else try to fix this? Please let me know,because it's really confusing now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 morgansfind

morgansfind
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 28 March 2009 - 01:13 AM

I added the text you asked me to add to combo...., from the notepad. I really don't know what script is . sorry for any confusion.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:45 AM

Posted 28 March 2009 - 04:42 AM

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:45 AM

Posted 31 March 2009 - 08:12 AM

Let me know in your next reply how things are now.

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:45 AM

Posted 26 April 2009 - 09:27 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users