Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with DNS Changer Trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 annoyed710

annoyed710

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 23 December 2009 - 06:21 PM

We got a DNS Changer Trojan on our desktop that first appeared as a security alert. It would not allow us to run spybot or intall mawarebytes. I was eventually able to rename malware bytes, install it on the desktop and run it. It came up with 59 problems and said it was able to fix them all. Once it restarted, McAfee said it was running again, but there was no firewall installed. It won't let us install or fix that part of the security. The windows firewall is on, but when enabling the windows firewall per your instructions, I noticed that on the services tab in advanced settings, there was a listing for Teredo (between Telnet Server and Web Server) that was checked. I left it checked for now.

Every time I run Malware bytes when restarting the computer, it now names 3 problems that it says it fixes. There are two listings for Trojan.FakeAlert - 1 is listed as a memory module, and one as a File. The other problem is Rootkit.TDSS and it is listed as a registry key.

The only way I know there is still a problem is that when I start up the computer, not only does it take a very long time, but the MacAfee label that usually is in the middle of the screen at startup isn't there and the small icon in the toolbar at the bottom is not there. After running Malwarebytes, it informs of the same 3 problems each time and fixes them. Then prompts to restart. When restarting then, it does have the MacAfee label and the icon at the bottom, but a ! warning that the firewall isn't enabled or functioning. It won't let us fix that.

We do have a router that was installed and encrypted by the geek squad. the two laptops that we use with the router don't appear to be effected.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Administrator at 16:35:01.64 on Wed 12/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.501 [GMT -6:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/home.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {C0AE7D77-9D38-4816-B03A-E07077F60B09} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim6]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_02\bin\jusched.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\PMREMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pushcl~1.lnk - c:\program files\interwise\participant\pull.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204840811062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5837/mcfscan.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\McProxy.exe [2009-12-17 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-17 144704]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-17 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-17 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-17 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-17 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-17 40552]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-26 24652]

=============== Created Last 30 ================

2009-12-23 00:55:16 0 d-----w- c:\docume~1\compaq~1\applic~1\GoodSync
2009-12-23 00:55:12 0 d-----w- c:\program files\Siber Systems
2009-12-23 00:30:01 0 d-----w- c:\program files\Runtime Software
2009-12-23 00:23:23 0 d-----w- c:\program files\Cobian Backup 9
2009-12-20 01:51:03 0 d-----w- c:\windows\system32\NtmsData
2009-12-19 19:31:54 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-12-19 18:37:20 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 18:37:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-19 18:37:18 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-12-19 18:37:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 16:06:09 0 d-----w- c:\windows\McAfee.com
2009-12-18 17:55:28 0 d-----w- c:\program files\AntiMalware
2009-12-18 03:17:33 79816 ------w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-18 03:17:33 40552 ------w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-18 03:17:33 35272 ------w- c:\windows\system32\drivers\mfebopk.sys
2009-12-18 03:12:27 120136 ------w- c:\windows\system32\drivers\Mpfp.sys
2009-12-18 02:56:38 0 d-----w- c:\program files\common files\McAfee
2009-12-18 02:56:16 0 d-----w- c:\program files\McAfee
2009-12-18 02:52:07 34248 ------w- c:\windows\system32\drivers\mferkdk.sys
2009-12-17 23:24:57 0 d-----w- c:\docume~1\compaq~1\applic~1\McAfee
2009-12-17 21:41:00 585 ------w- c:\windows\system32\krl32mainweq.dll
2009-12-17 21:39:59 127 ----a-w- c:\windows\system32\srcr.dat
2009-12-16 00:01:37 70496 ---h--w- c:\windows\system32\mlfcache.dat
2009-12-12 23:00:13 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-11-04 22:54:12 214664 ------w- c:\windows\system32\drivers\mfehidk.sys
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2006-07-25 14:02:52 774144 ------w- c:\program files\RngInterstitial.dll
2008-06-22 12:31:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062220080623\index.dat
2008-06-24 13:25:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062420080625\index.dat
2008-06-25 17:58:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062520080626\index.dat
2008-06-28 03:00:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062720080628\index.dat
2008-07-12 19:08:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071220080713\index.dat
2008-07-19 15:59:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat
2008-07-26 11:20:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072620080727\index.dat
2008-07-28 13:06:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072820080729\index.dat
2008-08-25 22:45:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat
2008-09-14 11:52:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-09-17 11:57:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat
2008-09-29 12:15:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat
2008-10-03 00:11:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat
2008-10-05 13:22:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat
2008-10-08 12:36:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100820081009\index.dat
2008-10-15 12:13:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat
2008-10-17 11:44:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat
2008-11-04 13:46:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110420081105\index.dat
2008-11-12 13:27:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111220081113\index.dat
2008-11-24 13:35:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111720081124\index.dat
2008-11-24 13:38:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112420081125\index.dat
2008-12-16 13:33:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121620081217\index.dat
2008-12-18 13:17:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121820081219\index.dat
2009-01-29 13:48:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012920090130\index.dat
2009-02-05 12:25:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020520090206\index.dat
2009-02-06 13:14:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020620090207\index.dat
2009-02-11 12:43:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021120090212\index.dat
2009-02-15 13:18:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021520090216\index.dat
2009-03-02 13:36:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030220090303\index.dat
2009-03-17 12:16:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031720090318\index.dat
2009-03-26 03:26:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032520090326\index.dat
2009-03-28 18:21:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032820090329\index.dat
2009-03-30 13:26:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033020090331\index.dat
2009-04-23 11:34:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042320090424\index.dat
2009-05-07 11:34:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050720090508\index.dat
2009-05-11 12:30:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051120090512\index.dat
2009-05-20 11:34:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052020090521\index.dat
2009-06-04 11:28:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052520090601\index.dat
2009-06-01 22:15:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060120090602\index.dat
2009-06-03 13:44:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060320090604\index.dat
2009-06-08 22:47:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060820090609\index.dat
2009-06-09 17:23:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060920090610\index.dat
2009-06-11 14:51:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061120090612\index.dat
2009-06-12 12:32:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061220090613\index.dat
2009-06-13 23:46:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061320090614\index.dat
2009-06-15 17:41:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061520090616\index.dat
2009-06-16 23:20:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061620090617\index.dat
2009-06-18 04:01:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061720090618\index.dat
2009-06-18 14:31:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061820090619\index.dat
2009-06-19 12:37:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061920090620\index.dat
2009-06-21 02:55:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062020090621\index.dat
2009-06-22 18:43:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062220090623\index.dat
2009-06-24 00:29:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062320090624\index.dat
2009-06-26 23:48:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062620090627\index.dat
2009-06-28 13:17:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062820090629\index.dat
2009-06-29 22:43:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062920090630\index.dat
2009-06-30 18:11:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009063020090701\index.dat
2009-07-01 21:01:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070120090702\index.dat
2009-07-02 23:57:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070220090703\index.dat
2009-07-04 04:07:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070320090704\index.dat
2009-07-04 13:56:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070420090705\index.dat
2009-07-06 23:09:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070620090707\index.dat
2009-07-07 13:14:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070720090708\index.dat
2009-07-09 18:02:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070920090710\index.dat
2009-07-11 01:02:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071020090711\index.dat
2009-07-11 17:24:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071120090712\index.dat
2009-07-12 13:57:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071220090713\index.dat
2009-07-13 14:01:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071320090714\index.dat
2009-07-14 14:07:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071420090715\index.dat
2009-07-16 23:46:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071620090717\index.dat
2009-07-17 14:08:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071720090718\index.dat
2009-07-19 02:18:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071820090719\index.dat
2009-07-20 00:58:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071920090720\index.dat
2009-07-21 03:12:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072020090721\index.dat
2009-07-21 12:39:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072120090722\index.dat
2009-07-22 17:03:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072220090723\index.dat
2009-07-24 01:47:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072320090724\index.dat
2009-07-24 16:40:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072420090725\index.dat
2009-07-27 02:28:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072620090727\index.dat
2009-07-27 17:59:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072720090728\index.dat
2009-07-30 01:41:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072920090730\index.dat
2009-07-30 18:56:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009073020090731\index.dat
2009-08-01 03:23:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009073120090801\index.dat
2009-08-02 00:49:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080120090802\index.dat
2009-08-04 02:20:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080320090804\index.dat
2009-08-04 17:53:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080420090805\index.dat
2009-08-06 02:50:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080520090806\index.dat
2009-08-06 18:07:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080620090807\index.dat
2009-08-08 03:02:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080720090808\index.dat
2009-08-08 17:53:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080820090809\index.dat
2009-08-09 13:30:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080920090810\index.dat
2009-08-18 22:35:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081820090819\index.dat
2009-08-19 13:49:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081920090820\index.dat
2009-08-20 21:58:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082020090821\index.dat
2009-08-21 21:57:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082120090822\index.dat
2009-08-23 14:28:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082320090824\index.dat
2009-08-31 13:33:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082420090831\index.dat
2009-08-31 22:49:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009083120090901\index.dat
2009-09-02 01:09:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090120090902\index.dat
2009-09-04 22:29:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090420090905\index.dat
2009-09-05 23:20:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090520090906\index.dat
2009-09-08 21:59:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090820090909\index.dat
2009-09-09 17:58:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090920090910\index.dat
2009-09-13 03:06:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091220090913\index.dat
2009-09-13 15:43:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091320090914\index.dat
2009-09-14 23:27:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091420090915\index.dat
2009-09-15 23:13:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091520090916\index.dat
2009-09-16 16:23:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091620090917\index.dat
2009-09-17 18:25:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091720090918\index.dat
2009-09-19 02:10:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091820090919\index.dat
2009-09-19 22:51:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091920090920\index.dat
2009-09-20 23:25:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092020090921\index.dat
2009-09-21 17:36:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092120090922\index.dat
2009-09-22 22:46:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092220090923\index.dat
2009-09-23 16:58:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092320090924\index.dat

============= FINISH: 16:36:00.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 29 December 2009 - 10:51 AM

Hi annoyed710,

Welcome to BC HijackThis forum and apologies for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • I see on the log Ask Toolbar is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar

    Also remove the folder in bold (if present) only after uninstalling Ask Toolbar:
    C:\Program Files\AskBar
    c:\program files\askbardis

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please disable McAfee as follows:
    • Please open McAfee Security Centre
    • Under Common Tasks click on Home
    • Click Computer Files
    • Click Configure
    • Make sure the following are disabled by ticking the "Off" button.

      Virus protection
      Spyware protection
      System Guards Protection
      Script Scanning Protection (you may have to scroll down to see it)

    • Next, select never for "When to re-enable real time scanning"
    • and click OK.
    Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820

    Note: It is important to enable those setting(s) immediately after ComboFix produced its log.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 29 December 2009 - 07:06 PM

Hi Farbar,

Thank you so much for your reply!!! I am so grateful for your help. I got the first two steps accomplished, but when I restarted my computer after running malwarebytes (as prompted) the small McAfee icon is in the lower right hand corner of the screen (next to the clock) and as it has been, there is a ! over the icon and it tells me my computer is not protected. It has been doing that and when I open the security center it says that the firewall is not on and it can't fix it when prompted.

So, that is the same, but the new problem is that there is no shortcut or any other sign of McAfee and clicking the small icon won't let me open the security center or go to the quick links-home section. McAfee is listed under installed programs when I go to control-add/delete programs.

So, I don't know how to get at the McAfee center to complete your directions numbered 4.

Also, there were 4 problems this time, instead of the 3 I had been getting when running Malwarebytes. I'll paste that log below for now.

Thanks again for your help!

Malwarebytes' Anti-Malware 1.42
Database version: 3453
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2009 5:17:42 PM
mbam-log-2009-12-29 (17-17-42).txt

Scan type: Quick Scan
Objects scanned: 176090
Time elapsed: 17 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTqkodpbavyq.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTqkodpbavyq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 29 December 2009 - 07:21 PM

You are welcome annoyed710.

We have two choices: Take the risk and run Combofix while McAfee is still enabled or Uninstall McAfee and reinstall it after ComboFix removed the infection. I prefer the latter. We have alternatives to run other tools but none can take all at once like ComboFix.

#5 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 29 December 2009 - 07:36 PM

I had spoken too soon, I guess. I hope it was OK, I tried running malwarebytes immediately again, and it found two of the problems it had previously found. I am sending the second mbam log. But, the good news is that after reboot that time, it now let me disable the McAfee items you had listed. I am going to now continue with the original directions. Sorry for the false alarm!

Malwarebytes' Anti-Malware 1.42
Database version: 3453
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2009 6:22:20 PM
mbam-log-2009-12-29 (18-22-20).txt

Scan type: Quick Scan
Objects scanned: 165422
Time elapsed: 12 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully

#6 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 29 December 2009 - 08:31 PM

Hi Farbar,

Well, I think I got the combofix run OK. Here's the report. I can't believe you can make sense out of all the info the reports generate! Thanks for your help!


ComboFix 09-12-29.04 - Compaq_Administrator 12/29/2009 18:55:44.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.563 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Scott\Desktop\AntiMalware.lnk
C:\LOG.TXT
c:\program files\AntiMalware
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\system32\drivers\H8SRTbqaitetidw.sys
c:\windows\system32\H8SRTkomqhyicxd.dat
c:\windows\system32\H8SRTqkodpbavyq.dll
c:\windows\system32\H8SRTqppqlrdkrj.dll
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\srcr.dat
c:\windows\unins000.dat
c:\windows\unins000.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-30 00:48 . 2009-12-30 01:11 -------- d-----w- \ComboFix
2009-12-30 00:38 . 2009-12-30 01:06 -------- d---a-w- \Qoobox
2009-12-29 17:01 . 2009-12-29 17:01 176816 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-29 14:03 . 2009-12-29 14:03 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\CANON INC
2009-12-23 00:55 . 2009-12-23 00:57 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GoodSync
2009-12-23 00:55 . 2009-12-23 00:55 -------- d-----w- c:\program files\Siber Systems
2009-12-23 00:30 . 2009-12-23 00:30 -------- d-----w- c:\program files\Runtime Software
2009-12-23 00:23 . 2009-12-23 00:40 -------- d-----w- c:\program files\Cobian Backup 9
2009-12-19 19:31 . 2009-12-19 19:31 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-12-19 18:37 . 2009-12-19 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 18:37 . 2009-12-19 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 16:06 . 2009-12-19 16:06 -------- d-----w- c:\windows\McAfee.com
2009-12-18 02:56 . 2009-12-18 03:12 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-18 02:56 . 2009-12-18 16:22 -------- d-----w- c:\program files\McAfee
2009-12-17 23:24 . 2009-12-17 23:24 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\McAfee
2009-12-12 23:00 . 2009-12-12 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 16:56 . 2007-06-25 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-29 14:38 . 2009-10-15 11:50 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ZoomBrowser EX
2009-12-19 23:55 . 2006-07-24 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-19 23:54 . 2006-07-24 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-19 19:47 . 2007-09-28 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-18 03:01 . 2006-10-15 20:25 -------- d-----w- c:\program files\McAfee.com
2009-12-17 23:46 . 2008-10-23 01:41 -------- d-----w- c:\documents and settings\Morgan\Application Data\U3
2009-12-16 00:00 . 2006-07-28 18:58 -------- d-----w- c:\documents and settings\Morgan\Application Data\Apple Computer
2009-12-14 21:00 . 2006-07-24 01:31 -------- d-----w- c:\documents and settings\Scott\Application Data\Apple Computer
2009-12-14 13:04 . 2006-07-23 23:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2009-12-12 23:01 . 2009-07-17 18:30 -------- d-----w- c:\program files\iTunes
2009-12-12 23:00 . 2009-07-17 18:30 -------- d-----w- c:\program files\iPod
2009-12-12 23:00 . 2009-07-17 18:30 -------- d-----w- c:\program files\Common Files\Apple
2009-12-12 22:57 . 2007-07-17 03:59 -------- d-----w- c:\program files\QuickTime
2009-11-23 18:19 . 2009-10-16 20:08 248 ------w- c:\documents and settings\Scott\Application Data\wklnhst.dat
2009-11-19 01:11 . 2007-07-15 23:30 -------- d-----w- c:\program files\PokerStars.NET
2009-11-04 16:56 . 2008-07-23 15:27 60744 ------w- c:\documents and settings\Scott\g2mdlhlpx.exe
2006-07-25 14:02 . 2006-07-25 14:02 774144 ------w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-01-09 16:03 . 2005-02-02 22:44 61440 c:\hp\KBD\bak\KBD.EXE

2007-05-11 08:06 . 2007-05-11 08:06 40048 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2009-10-03 09:45 . 2009-10-03 09:45 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2006-05-04 13:17 . 2006-05-04 13:17 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2006-02-15 22:34 . 2006-02-15 22:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe

2006-07-22 23:13 . 2001-07-03 14:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe

2005-02-17 06:11 . 2005-02-17 06:11 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe

2007-09-14 15:00 . 2007-09-14 15:00 267064 c:\program files\iTunes\bak\iTunesHelper.exe
2009-11-12 22:33 . 2009-11-12 22:33 141600 c:\program files\iTunes\iTunesHelper.exe

2007-07-21 15:07 . 2007-07-12 09:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2006-10-15 20:36 . 2005-07-08 23:18 151552 c:\program files\McAfee.com\VSO\bak\mcmnhdlr.exe

2006-10-15 20:36 . 2005-08-10 17:49 163840 c:\program files\McAfee.com\VSO\bak\mcvsshld.exe

2006-10-15 20:36 . 2005-08-12 03:02 53248 c:\program files\McAfee.com\VSO\bak\oasclnt.exe

2006-07-23 22:25 . 2001-11-09 06:47 356352 c:\program files\NASDAK\OmniMouse Driver\4.0\bak\MOUSE32A.EXE

2007-06-29 11:24 . 2007-06-29 11:24 286720 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 05:08 . 2009-11-11 05:08 417792 c:\program files\QuickTime\QTTask.exe

2006-05-04 13:29 . 2004-12-14 02:23 663552 c:\windows\CREATOR\bak\Remind_XP.exe

2004-08-10 03:04 . 2005-09-29 21:01 67584 c:\windows\ehome\bak\ehtray.exe
2004-08-10 03:04 . 2005-08-05 20:56 64512 c:\windows\ehome\ehtray.exe

2006-05-04 13:29 . 2005-07-22 22:14 237568 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-09 21:00 . 2004-08-09 21:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-09 21:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2006-07-23 01:14 . 2005-01-27 09:00 98304 c:\windows\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"PCDrProfiler"="" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-4 27136]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-7-25 327680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-5-4 36903]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMREMIND.EXE [2007-2-18 327680]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-14 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-7-23 237568]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2007-2-6 839680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MP3 Rocket\\MP3Rocket.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.comcast.net/home.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = c:\windows\system32\blank.htm
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{C0AE7D77-9D38-4816-B03A-E07077F60B09} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 19:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\System32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\ARPWRMSG.EXE
c:\windows\RTHDCPL.EXE
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\alg.exe
.
**************************************************************************
.
Completion time: 2009-12-29 19:24:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 01:24

Pre-Run: 182,935,937,024 bytes free
Post-Run: 186,844,344,320 bytes free

- - End Of File - - ADFBFDA8554F2243C5828C04263FD9C3

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 29 December 2009 - 08:47 PM

Well done. :(
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    SecCenter::
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCDrProfiler"=-
    driver::
    Viewpoint Manager Service
    dds::
    Trusted Zone: internet

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • Tell me how is your computer running.


#8 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 29 December 2009 - 10:50 PM

Ugh... When I booted up the computer again, my McAfee popped up and said it removed (or was it prevented?) a trojan and I think the name of it started with an A? Sorry, I should have written it down. Anyway, the location had combofix in the name, and now combofix is no longer there.

Should I save combofix to my desktop again? If so, do I run anything again, or just leave it once it is re-saved?

I had already saved the CFScript.txt to my desktop. Do I need to remove that before I re-save combofix?

Once last little note...I don't know if it matters, but when I was enabling all of the security features, after running combofix, I successfully enabled McAfee virus protection, spyware protection, system guards protection, and script scanning protection. I also enabled the Windows firewall again. However, I still have a ! over my McAfee icon at the bottom of the screen because the internet protection is not working. Everytime I click "fix" it flashes a green background that it is fixed and then goes immediately back to yellow for not working. Maybe this will fix when we're all done, but I thought I'd mention it. I didn't know if it could be conflicting with windows firewall or anything.

OK, I'll wait to see what you suggest to do about combofix. Thanks!

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 30 December 2009 - 04:15 AM

McAfee instead of catching the baddies flags a component of ComboFix as Artemis xxxxxx and removes ComboFix. You need to disable McAfee again before running ComboFix. You don't need to remove CFScript.txt. After downloading ComboFix drag it into it to run ComboFix.

McAfee might need a repair install at least or a clean install at most.

#10 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 December 2009 - 09:36 AM

Hi Farbar,

Thank you so much for your help! I did the Java update/removal and installed the new one. Everything seems fine! I still have the McAfee internet protection warning that won't fix using their tools, so I may have to uninstall and reinstall that. But I can't do that for a few hours.

I am really grateful for the help!

Here's the combofix report

ComboFix 09-12-29.05 - Compaq_Administrator 12/30/2009 7:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.566 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-29 17:01 . 2009-12-29 17:01 176816 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-29 14:03 . 2009-12-29 14:03 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\CANON INC
2009-12-23 00:55 . 2009-12-23 00:57 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GoodSync
2009-12-23 00:55 . 2009-12-23 00:55 -------- d-----w- c:\program files\Siber Systems
2009-12-23 00:30 . 2009-12-23 00:30 -------- d-----w- c:\program files\Runtime Software
2009-12-23 00:23 . 2009-12-23 00:40 -------- d-----w- c:\program files\Cobian Backup 9
2009-12-20 01:51 . 2009-12-23 21:31 -------- d-----w- c:\windows\system32\NtmsData
2009-12-19 19:31 . 2009-12-19 19:31 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-12-19 18:37 . 2009-12-03 22:14 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 18:37 . 2009-12-19 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 18:37 . 2009-12-19 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 18:37 . 2009-12-03 22:13 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-12-19 16:06 . 2009-12-19 16:06 -------- d-----w- c:\windows\McAfee.com
2009-12-18 03:17 . 2009-11-04 22:54 79816 ------w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-18 03:17 . 2009-11-04 22:54 40552 ------w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-18 03:17 . 2009-11-04 22:54 35272 ------w- c:\windows\system32\drivers\mfebopk.sys
2009-12-18 03:12 . 2009-07-16 18:32 120136 ------w- c:\windows\system32\drivers\Mpfp.sys
2009-12-18 02:56 . 2009-12-18 03:12 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-18 02:56 . 2009-12-18 16:22 -------- d-----w- c:\program files\McAfee
2009-12-18 02:52 . 2009-11-04 22:53 34248 ------w- c:\windows\system32\drivers\mferkdk.sys
2009-12-17 23:24 . 2009-12-17 23:24 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\McAfee
2009-12-16 00:01 . 2009-12-16 00:01 70496 ---h--w- c:\windows\system32\mlfcache.dat
2009-12-12 23:00 . 2009-12-12 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 16:56 . 2007-06-25 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-29 14:38 . 2009-10-15 11:50 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\ZoomBrowser EX
2009-12-19 23:55 . 2006-07-24 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-19 23:54 . 2006-07-24 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-19 19:47 . 2007-09-28 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-18 03:01 . 2006-10-15 20:25 -------- d-----w- c:\program files\McAfee.com
2009-12-17 23:46 . 2008-10-23 01:41 -------- d-----w- c:\documents and settings\Morgan\Application Data\U3
2009-12-16 00:00 . 2006-07-28 18:58 -------- d-----w- c:\documents and settings\Morgan\Application Data\Apple Computer
2009-12-14 21:00 . 2006-07-24 01:31 -------- d-----w- c:\documents and settings\Scott\Application Data\Apple Computer
2009-12-14 13:04 . 2006-07-23 23:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2009-12-12 23:01 . 2009-07-17 18:30 -------- d-----w- c:\program files\iTunes
2009-12-12 23:00 . 2009-07-17 18:30 -------- d-----w- c:\program files\iPod
2009-12-12 23:00 . 2009-07-17 18:30 -------- d-----w- c:\program files\Common Files\Apple
2009-12-12 22:57 . 2007-07-17 03:59 -------- d-----w- c:\program files\QuickTime
2009-11-23 18:19 . 2009-10-16 20:08 248 ------w- c:\documents and settings\Scott\Application Data\wklnhst.dat
2009-11-21 15:51 . 2004-08-09 21:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 01:11 . 2007-07-15 23:30 -------- d-----w- c:\program files\PokerStars.NET
2009-11-04 22:54 . 2009-11-04 22:54 214664 ------w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 16:56 . 2008-07-23 15:27 60744 ------w- c:\documents and settings\Scott\g2mdlhlpx.exe
2009-10-29 07:45 . 2004-08-09 21:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-09 21:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-09 21:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-09 21:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-09 21:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-09 21:00 79872 ----a-w- c:\windows\system32\raschap.dll
2006-07-25 14:02 . 2006-07-25 14:02 774144 ------w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-01-09 16:03 . 2005-02-02 22:44 61440 c:\hp\KBD\bak\KBD.EXE

2007-05-11 08:06 . 2007-05-11 08:06 40048 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2009-10-03 09:45 . 2009-10-03 09:45 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2006-05-04 13:17 . 2006-05-04 13:17 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2006-02-15 22:34 . 2006-02-15 22:34 249856 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe

2006-07-22 23:13 . 2001-07-03 14:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe

2005-02-17 06:11 . 2005-02-17 06:11 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe

2007-09-14 15:00 . 2007-09-14 15:00 267064 c:\program files\iTunes\bak\iTunesHelper.exe
2009-11-12 22:33 . 2009-11-12 22:33 141600 c:\program files\iTunes\iTunesHelper.exe

2007-07-21 15:07 . 2007-07-12 09:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2006-10-15 20:36 . 2005-07-08 23:18 151552 c:\program files\McAfee.com\VSO\bak\mcmnhdlr.exe

2006-10-15 20:36 . 2005-08-10 17:49 163840 c:\program files\McAfee.com\VSO\bak\mcvsshld.exe

2006-10-15 20:36 . 2005-08-12 03:02 53248 c:\program files\McAfee.com\VSO\bak\oasclnt.exe

2006-07-23 22:25 . 2001-11-09 06:47 356352 c:\program files\NASDAK\OmniMouse Driver\4.0\bak\MOUSE32A.EXE

2007-06-29 11:24 . 2007-06-29 11:24 286720 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 05:08 . 2009-11-11 05:08 417792 c:\program files\QuickTime\QTTask.exe

2006-05-04 13:29 . 2004-12-14 02:23 663552 c:\windows\CREATOR\bak\Remind_XP.exe

2004-08-10 03:04 . 2005-09-29 21:01 67584 c:\windows\ehome\bak\ehtray.exe
2004-08-10 03:04 . 2005-08-05 20:56 64512 c:\windows\ehome\ehtray.exe

2006-05-04 13:29 . 2005-07-22 22:14 237568 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-09 21:00 . 2004-08-09 21:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-09 21:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2006-07-23 01:14 . 2005-01-27 09:00 98304 c:\windows\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-4 27136]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-7-25 327680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-5-4 36903]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMREMIND.EXE [2007-2-18 327680]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-14 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-7-23 237568]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2007-2-6 839680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MP3 Rocket\\MP3Rocket.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-12-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-18 18:22]

2009-12-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-18 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HP Game Console - c:\program files\WildTangent\Apps\HP Game Console\Uninstall.exe
AddRemove-MP3 Rocket - j:\morgan's pictures\MP3 Rocket\Uninstall.exe
AddRemove-{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 07:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ARPWRMSG.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-30 07:58:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 13:58
ComboFix2.txt 2009-12-30 01:24

Pre-Run: 186,828,328,960 bytes free
Post-Run: 186,789,498,880 bytes free

- - End Of File - - 977BFD16CE459F9C3B449A485E915D14

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 30 December 2009 - 09:54 AM

It looks good. :(
  • Go to start > Run copy and paste the following lines one by one in the run box and click OK after each line:

    cmd /c reg delete "HKLM\software\microsoft\security center\Monitoring\McAfeeAntiVirus" /v DisableMonitoring /f
    cmd /c reg delete "HKLM\software\microsoft\security center\Monitoring\McAfeeFirewall" /v DisableMonitoring /f


    A window flashes it is normal.

  • Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


    Let me know if you have any question before we close the topic.


#12 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 December 2009 - 12:49 PM

I think I am almost done troubling you... I ran the commands for the McAfee Anti-Virus and Firewall. The Anti-Virus one went and a balloon popped up to tell me that the Anti-Virus was updated. The Firewall didn't seem to do anything and it still tells me I have problems with internet protection on the McAfee Security Center. It won't repair, so do you think I should just uninstall the whole thing and start over now?

Also, when I went to do step 2, running combofix uninstall, it said that it was not found. I know McAfee gave me the same story about recognizing a virus and supposedly removed it on start-up. Are there any other combofix folders I need to worry about removing? Also, should I do anything else to create a new restore point if I haven't run the combofix uninstall successfully?

I know these may seem like remedial questions, but I want to make sure to do it right while I have your expertise and fix this once and for all! Thanks!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 30 December 2009 - 01:04 PM

It is important to uninstall Combofix properly. So you can disable McAfee, download ComboFix and run the command.

If it was up to me I would install a free antivirus to do a better job than McAfee for free. I see the majority of users coming here are using this AV and get infected easily while they pay for it to protect them against malware threats.

So I think any trouble with McAfee I would leave to its support team. You may also ask them why the product don't do anything about the malware and removes the legit applications like Combofix.

#14 annoyed710

annoyed710
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 December 2009 - 02:32 PM

I'm so sorry to keep bothering you, but had some trouble with the last instructions...

It wouldn't let me uninstall- this is the error message when I ran ComboFix/Uninstall

Windows cannot find"ComboFix/Uninstall"

So, it looked like you had a space betweenthe words andthe slash,so I put it in with a space and it started running comboFix. I closed it and cancelled it, but then I was unable to get on Internet Explorer. So, I just ran combofix through (I hope that was OK, but thought maybe that's what it needed to uninstall). It ran and generated the report and then I was able to get on Internet explorer again.

So, things are back to the way they were, but still no luck uninstalling combofix with the command

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 AM

Posted 30 December 2009 - 02:55 PM

No worries but I think I'm not able to understand why you didn't copy and paste the command as it was instructed and why you stopped it when it started running with the command. So if you do as it is instructed and don't improvise or interfere there won't be any problem. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users