Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Multipacked.Multi.Generic Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 GaryGranath

GaryGranath

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 15 November 2009 - 09:03 PM

Have a home network. My wife's PC probably has malware and can't use her browsers so I can't post from her system. My PC works, so I gathered the needed files on her PC and emailed them to mine. Note: When starting RootRepeal, a pop-up window entitled "RootRepeal Error" displayed the text: "Error - invalid PE image found!" but I clicked OK and the scan file seems ok.

Wife's PC is XP Home SP3, using IE8 and Firefox 3.0.15, my router has hardware firewall, Zone Alarm Extreme Security with Firewall and AV/AS active. Brief explanation of problem's onset:

She googled for the new movie - 2012 - and she thinks she selected a match on youtube for a movie trailer. Upon clicking the video link on youtube, IE8 froze immediately and ZA started notifying her repeatedly about a virus. ZA is set to detect "On Access" in "Smart Mode and Try to Repair", but if it can't, to quarantine. ZA flagged C:\Documents and Settings\Owner\n.vzr as a problem with a virus named Multipacked.Multi.Generic.

When ZA settled down, multiple log entries said ZA couldn't repair the file and quarantine failed, although I still have the following in quarantine:

Infection = MultiPacked.Multi.Generic
Days in Quarantine = 3
Path = C:\Documents and Settings\Owner\n.vzr

A note indicates: "This item may be repairable in a future update."

I downloaded and executed the most current version of MS Malicious Software Removal Tool but it found nothing to remove.

I called ZA and their rep had me reboot in "Safe Mode with Networking" and do an ultra deep scan. Before he went home for the weekend he said if the ultra scan was clean to do a rootkit scan. It was clean but there is no rootkit scan available in my ZA product. What the...? Maybe he forgot what ZA product I'm using. I tried various things to get IE8 to work and as things "progressed," somehow all the logged ZA alerts for this malware migrated away somewhere - I didn't knowingly clear them. While trying various things to get IE8 to work, a pop-up window named "iexplore.exe - Application Error" displayed:

"The instruction at 0x'10037001' referenced memory at 0x'10037001'. The memory could not be written. Click OK to terminate the program."

While trying to get a handle on this, I saw a few "global hook" entries in the ZA log that seemed to be "badness" but I don't know more than that. They're gone now.

Now whenever I launch IE8, the first time I get no response. Task Manager doesn't show that IE has started. So I launch it a second time. Immediately I get a Data Execution Prevention window from Microsoft, and XP closes IE8 - this happens every time now. However, if I left-click like a madman in the area of the IE8 taskbar (still blank while IE8 is trying to come up), sometimes the task items (File, Edit, Tools, Help) will display and I can actually enter URLs in the address box and go to, for example, bleepingcomputer! Weird. I think I've disabled all the browser add-ons, links, toolbars, and search providers, but that didn't help. On a hunch, I installed Mozilla Firefox and it dies the same way. This is where I find myself now. So it looks like I can access the Internet, but only after really working at it. Most of the time IE8 gets the MS DEP error. Thus, it may be possible that if you wish to remote connect to the failing PC, you can!

I used Windows Explorer to search the failing PC for a file named n.vzr and found only n.vzr-09FBB8D6.pf in c:\Windows\Prefetch. Is a rogue file hiding somewhere?

Thanks for any guidance on this. I'm pasting the DDS.txt contents below and attaching the Attach.txt and ark.txt files to this post. I think you folks have your hands full! -Gary
--------------------------------------------------------------------------------


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 22:00:59.37 on Sat 11/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.75 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PowerBar]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182810858578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182810746125
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\cn1xo0tx.default\
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-8-26 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-8-26 439664]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-8-26 35448]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-6-30 69692]

=============== Created Last 30 ================

2009-11-14 22:46:51 0 d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2009-11-15 00:20:22 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-13 19:08:07 110592 ----a-w- c:\windows\system32\imm32.dll
2009-09-24 00:05:04 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-24 00:04:56 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-03-09 01:53:58 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030820090309\index.dat

============= FINISH: 22:03:24.82 ===============

Edited by GaryGranath, 15 November 2009 - 09:15 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 16 November 2009 - 08:23 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 16 November 2009 - 06:02 PM

Sam, I patched O/S code for IBM mainframes but they never had anything like combofix. Someone has done a lot of work. Beautiful. I noticed that when combofix rebooted that my ZA antivirus autostarted, and your instructions said to disable it, so you probably expected to see that.

Incidentally, I wrote down a running copy of the messages when combobox started. You may find evidence of two messages in the log, but almost immediately he told me a system file was infected: C:\WINDOWS\system32\imm32.dll". Then he said that the file netekwcyto.dll in WINDOWS' system32 directory was trying to attach itself to combofix.

Here are the combofix log.txt contents.
-Gary
---------------------------------------------------------------

ComboFix 09-11-16.05 - Owner 11/16/2009 17:28..1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.186 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Failure Folder\ComboFix.exe
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
The following files were disabled during the run:
c:\windows\system32\netekwcyto.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2445810432-2914882101-1291228572-1003
D:\Autorun.inf

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imm32.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-14 22:46 . 2009-11-14 22:46 -------- d-----w- c:\program files\Trend Micro
2009-11-13 23:11 . 2009-11-13 23:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 22:45 . 2009-09-16 19:21 144 ----a-w- c:\windows\system32\pdfl.dat
2009-11-16 22:07 . 2007-09-29 14:50 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-16 22:06 . 2007-04-27 23:25 -------- d-----w- c:\documents and settings\Owner\Application Data\MailWasherPro
2009-11-16 13:42 . 2009-11-16 18:24 50176 ----a-w- c:\windows\Internet Logs\xDB4C.tmp
2009-11-16 02:32 . 2009-11-16 13:03 54784 ----a-w- c:\windows\Internet Logs\xDB4B.tmp
2009-11-16 02:15 . 2009-11-16 02:16 105472 ----a-w- c:\windows\Internet Logs\xDB4A.tmp
2009-11-15 21:53 . 2009-11-15 23:16 216576 ----a-w- c:\windows\Internet Logs\xDB49.tmp
2009-11-15 02:39 . 2009-11-15 02:50 85504 ----a-w- c:\windows\Internet Logs\xDB48.tmp
2009-11-15 00:02 . 2009-11-15 00:03 67072 ----a-w- c:\windows\Internet Logs\xDB47.tmp
2009-11-14 23:22 . 2009-11-14 23:23 53760 ----a-w- c:\windows\Internet Logs\xDB46.tmp
2009-11-14 22:57 . 2009-11-14 22:58 81920 ----a-w- c:\windows\Internet Logs\xDB45.tmp
2009-11-14 22:14 . 2009-11-14 22:15 84992 ----a-w- c:\windows\Internet Logs\xDB44.tmp
2009-11-14 03:39 . 2009-11-14 14:45 139264 ----a-w- c:\windows\Internet Logs\xDB43.tmp
2009-11-14 02:07 . 2006-10-27 03:55 -------- d-----w- c:\program files\Google
2009-11-14 02:06 . 2009-05-06 15:45 -------- d-----w- c:\program files\Coupons
2009-11-14 00:38 . 2009-11-14 00:38 156160 ----a-w- c:\windows\Internet Logs\xDB42.tmp
2009-11-13 01:35 . 2009-11-13 14:22 77312 ----a-w- c:\windows\Internet Logs\xDB41.tmp
2009-11-09 04:32 . 2009-11-12 22:57 51200 ----a-w- c:\windows\Internet Logs\xDB40.tmp
2009-11-08 16:42 . 2009-11-09 00:35 63488 ----a-w- c:\windows\Internet Logs\xDB3F.tmp
2009-11-08 04:04 . 2009-11-08 15:43 55808 ----a-w- c:\windows\Internet Logs\xDB3E.tmp
2009-11-07 04:55 . 2009-11-08 01:54 62976 ----a-w- c:\windows\Internet Logs\xDB3D.tmp
2009-11-06 17:14 . 2009-11-06 22:47 52224 ----a-w- c:\windows\Internet Logs\xDB3C.tmp
2009-11-06 04:16 . 2009-11-06 16:07 58880 ----a-w- c:\windows\Internet Logs\xDB3B.tmp
2009-11-05 14:38 . 2009-11-05 20:47 70656 ----a-w- c:\windows\Internet Logs\xDB3A.tmp
2009-11-04 19:26 . 2009-11-04 22:01 63488 ----a-w- c:\windows\Internet Logs\xDB39.tmp
2009-11-04 04:26 . 2009-11-04 15:52 61952 ----a-w- c:\windows\Internet Logs\xDB38.tmp
2009-11-03 20:01 . 2009-11-04 01:07 163328 ----a-w- c:\windows\Internet Logs\xDB37.tmp
2009-11-01 02:49 . 2009-11-01 21:34 60928 ----a-w- c:\windows\Internet Logs\xDB36.tmp
2009-10-31 19:45 . 2009-10-31 22:45 55808 ----a-w- c:\windows\Internet Logs\xDB35.tmp
2009-10-31 04:21 . 2009-10-31 17:37 49664 ----a-w- c:\windows\Internet Logs\xDB34.tmp
2009-10-31 03:05 . 2009-10-31 03:23 91136 ----a-w- c:\windows\Internet Logs\xDB33.tmp
2009-10-30 03:34 . 2009-10-30 13:55 82944 ----a-w- c:\windows\Internet Logs\xDB32.tmp
2009-10-29 03:25 . 2009-10-29 12:26 64000 ----a-w- c:\windows\Internet Logs\xDB31.tmp
2009-10-28 02:42 . 2009-10-28 15:35 60928 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-10-27 04:08 . 2009-10-27 23:32 66560 ----a-w- c:\windows\Internet Logs\xDB2F.tmp
2009-10-26 17:07 . 2009-10-26 19:05 54784 ----a-w- c:\windows\Internet Logs\xDB2E.tmp
2009-10-26 04:57 . 2009-10-26 16:13 56320 ----a-w- c:\windows\Internet Logs\xDB2D.tmp
2009-10-25 21:44 . 2009-10-25 23:52 60416 ----a-w- c:\windows\Internet Logs\xDB2C.tmp
2009-10-25 01:20 . 2009-10-25 13:19 57344 ----a-w- c:\windows\Internet Logs\xDB2B.tmp
2009-10-24 02:45 . 2009-10-24 22:44 50176 ----a-w- c:\windows\Internet Logs\xDB2A.tmp
2009-10-23 18:21 . 2009-10-24 01:55 50688 ----a-w- c:\windows\Internet Logs\xDB29.tmp
2009-10-23 15:56 . 2009-10-23 17:22 55296 ----a-w- c:\windows\Internet Logs\xDB28.tmp
2009-10-23 01:37 . 2009-10-23 14:50 50688 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2009-10-22 22:42 . 2009-10-22 23:32 56832 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2009-10-22 01:40 . 2009-10-22 20:48 68096 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-10-20 17:12 . 2009-10-20 23:00 72704 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2009-10-19 18:05 . 2009-10-19 22:06 61440 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2009-10-19 02:03 . 2009-10-19 15:54 54784 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-10-18 01:31 . 2009-10-19 01:27 58368 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-10-17 19:18 . 2009-10-17 23:21 59904 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2009-10-16 21:35 . 2009-10-17 17:51 62464 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2009-10-16 02:02 . 2009-10-16 18:22 69632 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2009-10-15 02:19 . 2009-10-15 16:42 116736 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-10-14 17:03 . 2009-10-14 21:37 1913856 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2009-10-14 16:48 . 2006-10-27 04:04 -------- d-----w- c:\program files\Microsoft Works
2009-10-14 00:35 . 2009-10-14 14:05 70656 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-10-13 18:46 . 2009-10-13 19:17 116224 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-10-09 01:07 . 2009-10-11 21:38 70656 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2009-10-07 19:30 . 2009-10-07 22:13 72704 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2009-10-07 01:41 . 2009-10-07 12:43 63488 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2009-10-06 02:48 . 2009-10-06 23:37 110592 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2009-10-05 17:43 . 2009-10-05 22:48 79872 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2009-10-04 20:54 . 2009-10-04 23:44 55808 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2009-10-04 02:36 . 2009-10-04 19:33 56320 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-10-03 00:22 . 2009-10-03 23:21 55296 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-10-02 18:37 . 2009-10-02 23:16 65024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-10-02 02:47 . 2009-10-02 17:02 68096 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-10-01 17:40 . 2009-10-01 18:00 128512 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-09-30 03:15 . 2009-09-30 23:46 61952 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-09-29 20:10 . 2009-09-30 01:47 139776 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-09-26 02:47 . 2009-09-26 15:44 58880 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-09-26 00:50 . 2009-09-26 02:00 70144 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-09-24 22:43 . 2009-09-25 01:58 68096 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-09-24 00:05 . 2009-09-16 19:20 72584 ----a-w- c:\windows\zllsputility.exe
2009-09-24 00:04 . 2009-10-01 01:05 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-09-24 00:04 . 2009-10-01 01:05 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-09-24 00:04 . 2009-09-16 19:20 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-09-23 14:09 . 2009-09-24 00:36 57856 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-09-23 02:00 . 2009-09-23 13:04 82432 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-09-22 03:20 . 2009-09-22 03:26 58368 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-09-21 18:04 . 2009-09-22 02:25 79360 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-09-20 21:29 . 2009-09-21 01:57 70144 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-09-20 01:36 . 2009-09-20 17:01 59904 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-09-19 02:15 . 2009-09-19 23:35 57856 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-09-18 18:00 . 2009-09-19 00:29 105472 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-09-17 00:20 . 2009-09-17 15:39 91648 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-09-16 19:21 . 2009-09-16 19:21 80 ----a-w- c:\windows\system32\ibfl.dat
2009-09-16 11:44 . 2009-09-16 11:44 144 ----a-w- c:\windows\system32\lkfl.dat
2009-09-11 14:18 . 2006-05-07 00:24 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-05-07 00:24 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-05-07 00:24 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-15 344064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-14 196608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-27 98304]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-24 1011080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-12 16267776]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/26/2009 11:20 AM 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/26/2009 11:20 AM 439664]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/26/2009 11:20 AM 35448]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/30/2006 11:44 PM 69692]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2007-01-25 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-05-07 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cn1xo0tx.default\
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-PowerBar - (no file)
HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM-Run-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe
HKLM-Run-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
AddRemove-Mcafee SecurityCenter - c:\progra~1\mcafee.com\shared\mcappins.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????\?@?\?@?D?????A~??????????????A~\?@?\?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0?????????????st??A~????????????????????0???????????\?@?\?@?????Q?B~????d?@?????\?@?(?@?\?@?3??s????????????????????(?@?_??s(?@?(?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2074014613-3245131041-2640498089-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(652)
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2348)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(568)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CheckPoint\ZAForceField\ForceField.exe
.
**************************************************************************
.
Completion time: 2009-11-16 17:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-16 22:52

Pre-Run: 92,223,713,280 bytes free
Post-Run: 92,289,425,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 66A0DF180718C5B3483CEE9528D0EA63

Edited by GaryGranath, 16 November 2009 - 06:07 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 17 November 2009 - 09:05 AM

Yeah sUBs has done a spectacular job creating and maintaining Combofix. It's a tremendous tool!

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 17 November 2009 - 02:47 PM

Hello Sam - Here's the eset online scan log file. The computer now opens browsers w/o any problem and seems more responsive than before. I'm amazed. I expected a terrible mess. I'm at a loss for words to express my thanks. The hard work of you and your colleagues is priceless. But it's free. I'm amazed to think that in a world dominated by selfishness that there are still folks like you motivated by the desire to help sad sacks like me.
I'm learning sign language so I can do volunteer work with the deaf so I know the satisfaction you must feel after a success like this. Is any housekeeping necessary? I see a new Qoobox directory on my C: drive. After looking at the log, please read my additional comments following it.
----------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7cb1ac0cf614e44888f555a8b43313c8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-11-17 06:31:26
# local_time=2009-11-17 01:31:26 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 158127 158127 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16776869 100 77 3198804 4646058 0 0
# scanned=53651
# found=0
# cleaned=0
# scan_time=2948

----------------------------------
I have a 2-PC home network and since the infected PC couldn't access the Internet, I've been going back and forth between the two, downloading, uploading, posting to the forum, emailing log files back and forth, etc. I made a mistake. Wait, wait, don't faint. FYI, I had triple bypass surgery last December. They split my breastbone, lowered my temp to 82.5 deg, packed ice around my heart, and stopped my heart/lungs for 94 minutes. Some post-op patients have cognitive and memory problems. I think I'm one. I was up again very late last night working on this and the idea struck me that since our PCs are on a home network mine might have been infected too. I started - emphasis - I only started combofix on the other PC.

As it went through its stages, error-free, my uneasiness grew. I went back and read your perfectly clear warning never to use combofix unless instructed to do so. Dread hit me. But I didn't panic and stop in the middle of the scan. And I did not tell combofix to download the MS Recovery Console. I wrote down on paper the 3 file deletions and 1 folder deletion that occurred. Combofix finished and produced a log file, which I have kept as safe as the family jewels. Can you assist me in backing out from this? I observed that combofix had set a system restore point, but I don't see it. Please try to have compassion for me. I just don't seem to have a lot of sense anymore. -Gary

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 18 November 2009 - 08:45 AM

Wow! I imagine having a procedure like that might give one a whole new perspective on life. Amazing!

No worries on running Combofix on your other computer. It runs flawlessly 99% of the time and if something does go wrong, it can go really wrong. As long as Combofix ran to completion and your computer still boots up and runs normally then you're fine and no reason to take any additional action. Although I do recommend removing Combofix from both computers now.

Here are those steps as well as some recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 18 November 2009 - 11:27 AM

Thank you for your understanding. I planned to show my appreciation for your help by buying a dinner for two for you at a restaurant of your choice. But I see that you provided a way to make a cash donation so I did that. Please use it to enjoy yourself. You've earned it and now I know I can go to bleepingcomputer if I run into any other bugs like this one and get expert help.

Re: future security, my home network is wired, I use a router, which I should hide me from some external threats, and both PCs run ZA Extreme Security, with antivirus/spy- ware, a firewall, and "Forcefield" to watch browser activity - regularly updated (although none of those caught this intrusion). I formerly used Spybot/teatimer. Should I supplement my ZA anti-spyware with Spybot and SpywareBlaster, or is that redundant?

I install all MS updates when I get the monthly reminder (should I do it more often?). You said that once I've done that update and rebooted that I should revisit the site. Do you mean that if I go back to MS update immediately that I may find more critical updates? Also, a professional friend suggested running malwarebytes' free online scanner once a month, and using MS Security Essentials. What do you think of that? Is it overkill?

You may not be allowed to recommend a particular set of protective tools, but if you feel comfortable sharing with me the names of the products you use (via private message or email if you wish - granath@verizon.net) please do. There must have been a good reason for you to have me run eset, and I've had unpleasant experiences (e.g. slow performance, dirty upgrades, not detecting threats, and off-shore tech support by people who can only read a script and have a very thick accent) with three prominent antivirus products.

So thanks again for bailing me out. This was a very positive :( experience.

Oh man, I almost forgot two things. On the second PC - the one on which I foolishly ran combofix - the log file indicates that the following were deleted. Do I need to be concerned about restoring them?

Three Deleted Files:
C:\windows\coupon~1.ocx
C:\windows\couponprinter.ocx
C:\windows\system32\QTWMCI32.DLL

One Deleted Folder:
C:\windows\Downloaded Program Files\ODCTOOLS


Finally, I can't uninstall combofix on either PC. I enter Start | Run and enter combofix /u in the text box, and combofix runs as usual. It doesn't honor the uninstall switch. XP's software uninstall function doesn't know combofix is present. What the...?
-Gary

Edited by GaryGranath, 18 November 2009 - 05:17 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 18 November 2009 - 05:50 PM

Finally, I can't uninstall combofix on either PC. I enter Start | Run and enter combofix /u in the text box, and combofix runs as usual. It doesn't honor the uninstall switch. XP's software uninstall function doesn't know combofix is present. What the...?

Here's the problem. You need to move Combofix.exe directly onto your desktop.

Running from: c:\documents and settings\Owner\Desktop\Failure Folder\ComboFix.exe


Oh man, I almost forgot two things. On the second PC - the one on which I foolishly ran combofix - the log file indicates that the following were deleted. Do I need to be concerned about restoring them?

Three Deleted Files:
C:\windows\coupon~1.ocx
C:\windows\couponprinter.ocx
C:\windows\system32\QTWMCI32.DLL

One Deleted Folder:
C:\windows\Downloaded Program Files\ODCTOOLS

No, don't restore those. They're adware.


You may not be allowed to recommend a particular set of protective tools, but if you feel comfortable sharing with me the names of the products you use (via private message or email if you wish - granath@verizon.net) please do. There must have been a good reason for you to have me run eset, and I've had unpleasant experiences (e.g. slow performance, dirty upgrades, not detecting threats, and off-shore tech support by people who can only read a script and have a very thick accent) with three prominent antivirus products.

On my computers I use Avast antivirus (free version), Windows firewall, Malwarebytes, Superantispyware, and Spywareblaster. I have Windows automatically download and install updates and I use Firefox as my browser.

I install all MS updates when I get the monthly reminder (should I do it more often?). You said that once I've done that update and rebooted that I should revisit the site. Do you mean that if I go back to MS update immediately that I may find more critical updates? Also, a professional friend suggested running malwarebytes' free online scanner once a month, and using MS Security Essentials. What do you think of that? Is it overkill?

If you keep your computer on all the time just make sure Windows is set up to automatically download and install all updates and you should be fine. Every now and then it's a good idea to visit Windows Update to manually check for any updates that may be missed, but I rarely do this myself. Malwarebytes is an excellent program and I recommend running it often. I'm not familiar with MS Security Essentials.

Re: future security, my home network is wired, I use a router, which I should hide me from some external threats, and both PCs run ZA Extreme Security, with antivirus/spy- ware, a firewall, and "Forcefield" to watch browser activity - regularly updated (although none of those caught this intrusion). I formerly used Spybot/teatimer. Should I supplement my ZA anti-spyware with Spybot and SpywareBlaster, or is that redundant?

ZA is very good. You might want to add Malwarebytes to the mix. Spywareblaster is a different type of program and all about prevention. I'd definitely use it, especially if you use IE as your browser.

Thank you for your understanding. I planned to show my appreciation for your help by buying a dinner for two for you at a restaurant of your choice. But I see that you provided a way to make a cash donation so I did that. Please use it to enjoy yourself. You've earned it and now I know I can go to bleepingcomputer if I run into any other bugs like this one and get expert help.

I got the donation. Thank you very much! It just so happens that my wife's birthday is Friday, so we will go out and have a nice dinner. Thanks again! :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 19 November 2009 - 04:34 PM

I have a final thought. I do irregular manual backups of my data, because doing it manually is kind of a nuisance (although not as big a nuisance as rebuilding everything). I'd swear that in our exchange of messages you mentioned three backup utilities (one was XP's version), but I can't find it. Did you? Do you have any favorites?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 19 November 2009 - 07:35 PM

No, I didn't mention it. I actually use an online service called Mozy.

http://mozy.com/
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 21 November 2009 - 03:16 PM

Sam,
My first attempt to post failed mid-stream and it appears that "Manage Current Attachments" knows about it, but there may be some duplication here. The important thing is the MS Word document, which I' think I've attached successfully.

It looks like I may have some post-combofix housekeeping to do and I don't want to muck things up by going forward without your advice.

I just noticed that the Windows Explorer view of my directory tree still has a Folder entry for Combofix, and under which are listed subdirectories whose further subdirectories are identical with those listed under the usual "My Computer" folder ---- including another entry for Combofix, under which the same structure is viewable... endlessly I suppose.

I've attached an MS Word doc with a screenshot of what I see, so you can confirm my sanity. I don't want to just delete the first Combofix, for fear Windows will think I want to delete... well, everything!

A suggestion please?
Thanks, Gary

#12 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 21 November 2009 - 03:57 PM

Sam,
I think I have confirmed that this is an endless loop. I did a search in Windows Explorer for a file with a unique name and it became evident that once Explorer had searched everything on both my HDDs, he started over again... and again... and again. I suppose it would continue forever.

I need to find a way to eliminate the Combofix directory (and as a consequence, everything below it) without destroying the "real" data below the "real" directory entries. And I suspect that as Windows is trying to complete my request, he'll discover some essential system files under the Combofix path and tell me: "I'm sorry Dave. I can't do that." This looks ugly.
Gary

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 21 November 2009 - 04:15 PM

Go to this this file.

c:\documents and settings\Owner\Desktop\Failure Folder\ComboFix.exe

Right click on it and select Cut.
Now go to your desktop, right click on it and select Paste.

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:56 PM

Posted 21 November 2009 - 08:16 PM

Why did I ever start messing around with computers anyhow? Sometimes it just isn't fun.

Since uninstalling combofix as soon after the problem on the other PC was fixed, I have cleaned up all related files on my PC, including the Failure Folder. And I then emptied the Recycle Bin. So I thought the ComboFix.exe was gone. But I searched both my HDDs and found a copy. So I did Cut/Paste to my Desktop.
(Incidentally, when I was cleaning up after you fixed the bug on the other PC, I typed ComboFix /u in the Start | Run box and instead of ComboFix uninstalling, it did another scan - all 50 stages. I googled and found that I wasn't the only one with that bug so eventually I typed 'ComboFix /Uninstall' and then it uninstalled as it should have.)

So I did Start | Run, typed ComboFix /u into the text box (expecting the same problem), but Windows now says:

Windows cannot find 'ComboFix'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Must be something to do with its attributes but I don't know enough about Windows to figure out what. I can enter the complete path in the text box: C:\Documents and Settings\Gary Granath\Desktop\ComboFix.exe and Windows can find it and ask me if I really want to run it, then it will do the 50-step scan, but I'm not able to specify the 'uninstall' switch.

What the heck is going on?
Gary

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:56 AM

Posted 22 November 2009 - 09:15 AM

The uninstall switch is supposed to make things easier, but you can just as easily delete the file.

Delete this file:
C:\Documents and Settings\Gary Granath\Desktop\ComboFix.exe

And you can also delete this folder, if it's present:
C:\Qoobox
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users