Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

waxfhosk.exe redirect virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 elepant man

elepant man

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 29 December 2009 - 05:28 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/282506/redirect-virus-locked-out-of-safemode/ ~ OB

This virus has disabled my ability to reboot in safe-mode. I cleaned it off my comp yesterday and it resurfaced today. Any help would be greatly appreciated. Thank you


DDS (Ver_09-12-01.01) - NTFSx86
Run by Clark at 14:48:45.60 on Tue 12/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.73 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SMINST\Scheduler.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
c:\haypsixd.exe
C:\WINDOWS\TEMP\rkq55q.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\TEMP\win.exe
svchost.exe
C:\WINDOWS\TEMP\IXP000.TMP\pa0821.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\FastNetSrv.exe
C:\Documents and Settings\Clark\Desktop\dds.scr
C:\WINDOWS\system32\lsm32.sys

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: c:\windows\system32\z2jz9n9rk2.dll: {a5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\z2jz9n9rk2.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BitZip - Powered by Miro] c:\program files\participatory culture foundation\miro\Miro.exe --theme "BitZip"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Motive SmartBridge] c:\progra~1\alltel~1\smartb~1\MotiveSB.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\windows\temp\ixp000.tmp\"
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\rkq55q.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\win.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windst~1.lnk - c:\program files\alltel dsl check-up center\bin\matcli.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\z2jz9n9rk2.dll: {a5bf49a2-94f1-42bd-f434-3604812c807d} - c:\windows\system32\z2jz9n9rk2.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli nifisito.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\clark\applic~1\mozilla\firefox\profiles\pgqldi22.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\clark\application data\mozilla\firefox\profiles\pgqldi22.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-26 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-3 40448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-2 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-26 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-26 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-26 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-26 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-26 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-26 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-26 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 winsts;winsts;c:\windows\system32\winsts.sys [2004-8-3 2304]

=============== Created Last 30 ================

2009-12-29 21:42:31 0 ----a-w- c:\windows\system32\drivers\rehlisv.sys
2009-12-29 21:42:30 419 ----a-w- c:\windows\system32\uses32.dat
2009-12-29 21:42:30 100 ----a-w- c:\windows\system32\flags.ini
2009-12-29 21:42:24 29184 ----a-w- c:\windows\system32\bwsb.gio
2009-12-29 21:42:22 1380864 ----a-w- c:\windows\system32\AVR10.exe
2009-12-29 21:42:21 17408 ----a-w- c:\windows\system32\winhelper86.dll
2009-12-29 21:41:26 23552 ----a-w- c:\windows\system32\winlogon86.exe
2009-12-29 21:41:25 23552 ----a-w- c:\windows\system32\winupdate86.exe
2009-12-29 21:41:19 15000 ----a-w- c:\windows\system32\z2jz9n9rk2.dll
2009-12-29 21:41:18 199680 ----a-w- C:\haypsixd.exe
2009-12-29 21:41:14 23552 ----a-w- C:\waxfhosk.exe
2009-12-29 05:54:49 0 d-----w- c:\windows\pss
2009-12-28 22:33:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 22:33:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 22:33:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 22:25:20 48 ----a-w- c:\windows\wininit.ini
2009-12-28 22:22:46 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-28 22:22:35 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-28 22:22:35 0 d-----w- c:\docume~1\clark\applic~1\SUPERAntiSpyware.com
2009-12-28 22:21:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-28 22:10:06 0 d-----w- c:\docume~1\clark\applic~1\McAfee
2009-12-28 17:34:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-12-28 00:19:42 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-28 00:19:42 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-02 01:46:54 78943 ----a-w- c:\windows\War3Unin.dat
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 14:52:11.56 ===============

Attached Files


Edited by Orange Blossom, 29 December 2009 - 06:38 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:20 PM

Posted 30 December 2009 - 10:34 AM

Hi elepant man,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

If you decide to remove the infection please go on with the following steps.


Removal Instructions

We start with running an updated MBAM

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 elepant man

elepant man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 30 December 2009 - 03:17 PM

Thank you for such a fast response. A did a scan with Malwarebytes. Unfortunately Yesterday as i was running logs for this post the virus reinfected so i ran a gamut of scans and removed some 50 plus trojans ect..

2 were found today

Malwarebytes' Anti-Malware 1.42
Database version: 3456
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/30/2009 1:06:39 PM
mbam-log-2009-12-30 (13-06-39).txt

Scan type: Quick Scan
Objects scanned: 102932
Time elapsed: 16 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bwsb.gio (Trojan.Agent) -> Quarantined and deleted successfully.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:20 PM

Posted 30 December 2009 - 03:23 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 elepant man

elepant man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 30 December 2009 - 04:28 PM

combo fix was successful..

ComboFix 09-12-29.06 - Clark 12/30/2009 13:52:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.219 [GMT -7:00]
Running from: c:\documents and settings\Clark\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Clark\Desktop\Videos for uploading
c:\documents and settings\Clark\Desktop\Videos for uploading \2008-12-12 15 17 30.wmv
c:\documents and settings\Clark\Desktop\Videos for uploading \Thumbs.db
c:\recycler\S-1-5-21-3309020730-304565872-2839942875-1003
c:\windows\system32\Install.txt
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-30 12:04 . 2009-12-30 12:05 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-30 02:45 . 2009-12-30 02:59 -------- d-----w- C:\rsit
2009-12-30 02:45 . 2009-12-30 02:55 -------- d-----w- c:\program files\trend micro
2009-12-28 22:33 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 22:33 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 22:33 . 2009-12-29 00:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 22:22 . 2009-12-28 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-28 22:22 . 2009-12-28 22:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-28 22:22 . 2009-12-28 22:22 -------- d-----w- c:\documents and settings\Clark\Application Data\SUPERAntiSpyware.com
2009-12-28 22:21 . 2009-12-28 22:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-28 22:10 . 2009-12-28 22:10 -------- d-----w- c:\documents and settings\Clark\Application Data\McAfee
2009-12-28 17:34 . 2009-12-28 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 19:31 . 2009-12-28 22:23 52224 ----a-w- c:\documents and settings\Clark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-30 19:31 . 2009-12-28 22:23 117760 ----a-w- c:\documents and settings\Clark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-29 19:38 . 2009-09-15 03:47 -------- d-----w- c:\program files\Java
2009-12-29 19:37 . 2009-12-29 19:37 152576 ----a-w- c:\documents and settings\Clark\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-29 19:37 . 2009-12-29 19:37 79488 ----a-w- c:\documents and settings\Clark\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 22:09 . 2008-06-26 19:55 -------- d-----w- c:\program files\McAfee
2009-12-28 22:09 . 2008-06-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-28 00:19 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-28 00:19 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2009-12-27 04:04 . 2008-07-14 01:53 -------- d-----w- c:\program files\DivX
2009-12-27 04:02 . 2009-08-21 22:05 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-20 09:52 . 2008-12-09 23:04 -------- d-----w- c:\program files\Warcraft III
2009-12-02 01:46 . 2008-12-09 23:07 78943 ----a-w- c:\windows\War3Unin.dat
2009-11-21 15:51 . 2004-08-04 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:46 . 2004-08-04 02:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 02:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 02:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 02:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 02:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 02:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 02:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 02:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 02:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17 . 2009-01-10 21:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 09:25 . 2009-03-25 18:24 21344 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-25 94208]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-25 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-25 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2008-5-29 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Clark\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:WarCraft III Battle.net

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/2/2008 7:02 PM 93320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S0 rehlisv;rehlisv; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-26 18:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-26 18:22]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Clark\Application Data\Mozilla\Firefox\Profiles\pgqldi22.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\Clark\Application Data\Mozilla\Firefox\Profiles\pgqldi22.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKCU-Run-BitZip - Powered by Miro - c:\program files\Participatory Culture Foundation\Miro\Miro.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 14:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WININET.dll
c:\progra~1\ALLTEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-12-30 14:08:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 21:08

Pre-Run: 33,124,270,080 bytes free
Post-Run: 33,046,720,512 bytes free

- - End Of File - - DEE2705DDD7B18EFE4BF0D373429E73C

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:20 PM

Posted 30 December 2009 - 04:43 PM

Well done. :(
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    Driver::
    rehlisv
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    Trusted Zone: internet
    Rootkit::
    C:\WINDOWS\system32\drivers\rehlisv.sys

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Tell me also how is your computer running and if you have any question before we round off the next post.


#7 elepant man

elepant man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 30 December 2009 - 05:20 PM

My comp lags a little but after a restart it seems fine. Ill try some browsing now and see how it goes. Should I attempt a safe-mode restart now or do you think it would fail.

ComboFix 09-12-29.06 - Clark 12/30/2009 14:52:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.271 [GMT -7:00]
Running from: c:\documents and settings\Clark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Clark\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_REHLISV
-------\Service_rehlisv


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-30 12:04 . 2009-12-30 12:05 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-30 02:45 . 2009-12-30 02:59 -------- d-----w- C:\rsit
2009-12-30 02:45 . 2009-12-30 02:55 -------- d-----w- c:\program files\trend micro
2009-12-29 19:37 . 2009-12-29 19:37 152576 ----a-w- c:\documents and settings\Clark\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-29 19:37 . 2009-12-29 19:37 79488 ----a-w- c:\documents and settings\Clark\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 22:33 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 22:33 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 22:33 . 2009-12-29 00:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 22:23 . 2009-12-30 19:31 52224 ----a-w- c:\documents and settings\Clark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 22:23 . 2009-12-30 19:31 117760 ----a-w- c:\documents and settings\Clark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-28 22:22 . 2009-12-28 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-28 22:22 . 2009-12-28 22:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-28 22:22 . 2009-12-28 22:22 -------- d-----w- c:\documents and settings\Clark\Application Data\SUPERAntiSpyware.com
2009-12-28 22:21 . 2009-12-28 22:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-28 22:11 . 2009-09-30 19:11 288096 ----a-r- c:\documents and settings\Clark\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-12-28 22:10 . 2009-12-28 22:10 -------- d-----w- c:\documents and settings\Clark\Application Data\McAfee
2009-12-28 17:34 . 2009-12-28 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 19:38 . 2009-09-15 03:47 -------- d-----w- c:\program files\Java
2009-12-28 22:09 . 2008-06-26 19:55 -------- d-----w- c:\program files\McAfee
2009-12-28 22:09 . 2008-06-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-28 00:19 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2009-12-28 00:19 . 2004-08-04 00:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-27 04:04 . 2008-07-14 01:53 -------- d-----w- c:\program files\DivX
2009-12-27 04:02 . 2009-08-21 22:05 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-20 09:52 . 2008-12-09 23:04 -------- d-----w- c:\program files\Warcraft III
2009-12-02 01:46 . 2008-12-09 23:07 78943 ----a-w- c:\windows\War3Unin.dat
2009-11-21 15:51 . 2004-08-04 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:46 . 2004-08-04 02:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 02:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 02:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 02:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 02:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 02:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 02:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 02:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 02:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17 . 2009-01-10 21:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 09:25 . 2009-03-25 18:24 21344 -c--a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-25 94208]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-25 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-25 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2008-5-29 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Clark\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:WarCraft III Battle.net

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/2/2008 7:02 PM 93320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-26 18:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-26 18:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Clark\Application Data\Mozilla\Firefox\Profiles\pgqldi22.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\Clark\Application Data\Mozilla\Firefox\Profiles\pgqldi22.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 15:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2980)
c:\windows\system32\WININET.dll
c:\progra~1\ALLTEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msiexec.exe
c:\program files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-12-30 15:06:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 22:06
ComboFix2.txt 2009-12-30 21:08

Pre-Run: 33,033,703,424 bytes free
Post-Run: 33,003,847,680 bytes free

- - End Of File - - D9015A31A10130E1E758D5B07C4450D3

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:20 PM

Posted 30 December 2009 - 05:23 PM

My comp lags a little but after a restart it seems fine. Ill try some browsing now and see how it goes. Should I attempt a safe-mode restart now or do you think it would fail.

Try anything, it is testing time. Let me know if you notice anything unusual.

#9 elepant man

elepant man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 30 December 2009 - 05:40 PM

All is well, reboot into safe-mode was smooth :(

And no more redirecting. Such a relief I cant thank you enough. Hopefully my paypal isnt drained from this attack. I wanna give you some appreciation.

Now that I can go into safe-mode should I do any more scanning with SAS or malwarebytes?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:20 PM

Posted 30 December 2009 - 05:47 PM

It looks good. :(

You are most welcome and thanks for the appreciation. :(

it is important to uninstall ComboFix. Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Running MBAM or/and SAS does no harm. From now on you may do whatever you feel is needed.

Happy Surfing elepant man. :)

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:20 PM

Posted 03 January 2010 - 06:59 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users