Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I messed up my comp after using ComboFix


  • This topic is locked This topic is locked
22 replies to this topic

#1 Sportsfan123

Sportsfan123

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 22 April 2012 - 04:57 PM

I started noticing Friday that when I clicked on links when doing a search, some of them would redirect to other websites. So I was looking for software that could remove it and read about ComboFix being thorough and the best to remove the virus. I should've come here first before using it. I'm worried I messed something up. I have Windows XP Home Edition. The scan went on for around 22 hours, so I must've caused it to stall. Before I started scanning I disabled my antivirus Avast 5 but I didn't permanently disable it and it came back on after 10 minutes. I also forgot to shutdown the windows firewall. When my antivirus came back on, CF already set up a new restore point and backed up the registry.

So when I realized the antivirus went back on I disabled it permanently this time. At this point in the scan, it already said Scanning for infected files...this usually doesn't take more than 10 minutes etc. Then it said "Access is denied. SED: Can't read the Plist02. No such file or directory. Access is denied." The desktop had also disappeared. Next it went through the 50 stages and it said deleting files.. and listed them. Also it said deleting folders and had some that said like documents and settings\admin\windows and system32\config\systemprofile\windows. During the scan, I did click in the CF window and scrolled up and down and also right clicked. I also brought up the task manager with ctrl+alt+delete but I didn't change or close any processes or programs.

I was checking periodically to see if it would finish. Finally around 22 hours after it started, I was checking it and the scan said "do not maunally reboot" and said "it will automatically reboot when it completes". I'm not sure if other messages from the CF window popped up before that since I wasn't by my comp the whole time. So it rebooted (this was yesterday) and my comp seemed to boot ok and went to the login screen for my username like it normally does but I haven't logged in yet. I won't log in until someone can help me before I screw it up even more. I'm hoping it's not as bad as I think. It was so foolish of me to try this on my own.

Edited by Sportsfan123, 22 April 2012 - 05:03 PM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 25 April 2012 - 05:51 PM

...It was so foolish of me to try this on my own.

I must agree, and for a couple reasons. Combofix is a specialized tool and should only be used either by trained technicians or under guidance by same. The reason(s) are obvious, but for the benefit of other readers who may have stumbled onto this thread, I'll briefly summarize why:
1) sUBs, author of combofix, recommends that one should not use it without trained guidance.
2) Without the proper training in the use of combofix, one could quite possibly cripple their system...which, of course, is why sUBs has warned against using it without proper guidance.

I might also add, sUBs is quite adamant about not clicking or mousing over combofix while it's running since it causes it to stall...as you found out.
Nuff said 'bout dat...on to business.

Please post the log that was generated and we'll go from there. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 25 April 2012 - 07:22 PM

thanks for the reply, I just logged in my username for the first time. The ComboFix window is up saying "Preparing log report. Do not run any programs until ComboFix has finished." I'll post the log when its done. I don't know if this is important but on the ComboFix window, the title says ComboFix - Find3M

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 25 April 2012 - 09:01 PM

...I don't know if this is important but on the ComboFix window, the title says ComboFix - Find3M

Not important for your concerns...it's a section of the combofix log having a title of the same name. Post it please when it completes. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 25 April 2012 - 09:16 PM

The log is complete but I'm not sure if I should post from the computer that ran CF. The internet seems to work on it. Otherwise I can copy it to my other comp with a flash drive and post. I never used the flash drive before and I don't know if it will install software on the comp (there's no installation cd)

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 26 April 2012 - 09:55 AM

Doesn't matter...just post it. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 April 2012 - 04:17 PM

ComboFix 12-04-20.03 - HP_Owner 04/20/2012 20:22:07.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.222 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Local Settings\Application Data\America Online\dflsujcx.dll
c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\~GLC0000.TMP
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Packet.dll
c:\windows\system32\ps2.bat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SETC3.tmp
c:\windows\system32\SETC7.tmp
c:\windows\system32\SETCF.tmp
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_TDSSSERV.SYS
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))
.
.
2012-04-20 01:07 . 2012-04-21 00:37 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\America Online
2012-04-10 04:16 . 2012-04-10 04:16 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-10 04:16 . 2012-04-10 04:16 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-04-04 07:20 . 2012-04-04 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2012-04-04 07:20 . 2012-04-04 07:20 -------- d-----w- c:\program files\ParetoLogic
2012-04-04 07:20 . 2012-04-04 07:20 -------- d-----w- c:\program files\Common Files\ParetoLogic
2012-04-04 07:20 . 2012-04-04 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-01 11:01 . 2004-08-07 18:47 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-07 18:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-07 18:46 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-07 18:47 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-07 18:46 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-07 18:46 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2004-08-07 18:47 1860096 ----a-w- c:\windows\system32\win32k.sys
1998-04-30 18:56 . 2011-01-14 02:17 129024 ----a-w- c:\program files\UNWISE.EXE
2012-04-10 04:16 . 2012-02-26 09:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"VTTimer"="VTTimer.exe" [2004-03-27 49152]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"capfasem"="c:\program files\CA\Security Suite\CA Personal Firewall\capfasem.exe" [2008-07-14 173296]
"capfupgrade"="c:\program files\CA\Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-07-14 259312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-09-29 206120]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-30 180269]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-8-7 16423]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 19:08 67160 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-30 11:08 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/26/2011 9:21 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/12/2010 9:04 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/12/2010 9:04 PM 20568]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 6:06 PM 290832]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/29/2010 7:00 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/29/2010 7:00 AM 185640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/19/2008 11:22 AM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2010 9:21 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2010 9:21 PM 135664]
S3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [9/9/2011 1:15 AM 36224]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/7/2004 2:47 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
2008-02-25 15:55 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-09 01:21]
.
2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-09 01:21]
.
2012-04-25 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 16:25]
.
2012-04-20 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 16:25]
.
2012-04-26 c:\windows\Tasks\User_Feed_Synchronization-{F388AB5F-9499-4BFE-8A12-D8078E69AF98}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\86ecnomr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.nhl.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-SITEguard - (no file)
HKCU-Run-America Online - c:\documents and settings\HP_Owner\Local Settings\Application Data\America Online\dflsujcx.dll
MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
AddRemove-OpenLastClosedTab - c:\program files\MuvEnum\OpenLastClosedTab\uninstall.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-25 20:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
America Online = rundll32.exe "c:\documents and settings\HP_Owner\Local Settings\Application Data\America Online\dflsujcx.dll",CreateTzanShell??{?m???????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\ASFWHide"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\PANICW~1\POP-UP~1\XAHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\VTTimer.exe
c:\windows\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2012-04-25 20:23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-26 00:23
.
Pre-Run: 5,121,597,440 bytes free
Post-Run: 25,131,724,800 bytes free
.
- - End Of File - - 2A2D7C97C661E36D3246C04D2CF18B56

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 26 April 2012 - 06:08 PM

Please look for these in your list of installed programs:
PixiePack Codec Pack
Viewpoint

...both are Foistware and should be uninstalled. While you're there, also look for the Security Suite from Computer Associates and uninstall it if it's there.

When you finish uninstalling them, look in your scheduled tasks for anything related to "Paretologic" and delete those tasks...you might find there are more than one tasks related to Paretologic. Regardless, anything there you find related to paretologic must also be removed.

Next, please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

folder::
c:\documents and settings\All Users\Application Data\ParetoLogic
c:\program files\ParetoLogic
c:\program files\Common Files\ParetoLogic
c:\program files\CA\Security Suite
c:\program files\PixiePack Codec Pack
c:\program files\Viewpoint

file::
c:\program files\UNWISE.EXE

driver::
Viewpoint Manager Service

firefox::
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\86ecnomr.default\
FF - prefs.js: browser.search.selectedEngine -

registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"capfasem"=-
"capfupgrade"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 April 2012 - 08:19 PM

In the "other deletions" section, were those important files? Can they be recovered? I won't mouseclick when its running but while it runs, my screensaver will probably come up so can I just move my mouse around to clear it?

#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 26 April 2012 - 08:26 PM

They were deleted because combofix found them to be malicious. You could recover them but why would you want to do that? I doubt your screen saver will interrupt, but if it does, just bump your mouse. After you drag the script to the combofix.exe, just move the mouse to the side of the screen or corner away from the dos screen that opesn when cf runs so if you have to bump it, it won't enter the dos window area.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 April 2012 - 09:35 PM

I thought they were critical for the proper functioning of the comp...like system32 files and the windows folders. Quick question what is winpcap for and also autorun.inf?

#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 27 April 2012 - 02:24 AM

I thought they were critical for the proper functioning of the comp...like system32 files and the windows folders. Quick question what is winpcap for and also autorun.inf?

Some system32 files are critical, but nothing combofix removed on your system is critical...not in the system32 folder. Likewise, the Windows folders it removed aren't in their proper file path location. If you don't know what winpcap is, then it's likely somebody installed it on your system without your knowledge in an effort to monitor what you do on the internet. Autorun is a means by which you loose control of what happens when you insert something in the cd/dvd drive or usb drive(s) for that matter, in that it will no longer run automatically. Instead, you should be given the opportunity to choose what you want to do with it. Microsoft even recommends disabling this feature. Please post the log.

Edited by 1972vet, 27 April 2012 - 02:24 AM.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 27 April 2012 - 04:35 PM

ok I went to run ComboFix and it prompted me saying it expired and asked if I wanted to run it in "reduced functionality mode" so I said no and it exited the program. I did uninstall Viewpoint and PixiePack Codec Pack but I didn't see Security Suite for Computer Associates in my installed programs list. I removed the scheduled tasks for Paretologic. Also when I created the notepad and clicked save as, it had *.txt for the file and I wanted to know if I should delete the asterisk or leave it for the file name when I save it like *CFScript.txt or just CFScript.txt

Is it necessary to run ComboFix again for the problems still on my computer or is there some other software we could use? I'm asking because I don't want anything to happen unexpectedly especially since I ran it once on my own and was very fortunate that my comp. still functions normally. I guess what I'm saying is I'm scared of its capabilities.

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:10 PM

Posted 27 April 2012 - 07:34 PM

ok I went to run ComboFix and it prompted me saying it expired and asked if I wanted to run it in "reduced functionality mode" so I said no and it exited the program.
You'll need to try this again in safe mode with networking...that is if you still can't run in normal mode. Needless to say, the copy you have has been updated and combofix wants you to download the update. You can do this if you are in either normal mode of course, or safe mode with networking.

I did uninstall Viewpoint and PixiePack Codec Pack but I didn't see Security Suite for Computer Associates in my installed programs list.
That's OK, we'll remove it with combofix

I removed the scheduled tasks for Paretologic. Also when I created the notepad and clicked save as, it had *.txt for the file and I wanted to know if I should delete the asterisk or leave it for the file name when I save it like *CFScript.txt or just CFScript.txt
The *.txt is there by default on all systems..just so you know. However, had I wanted you to safe it as *.txtcfcript.txt then that's exactly what I would have posted in the instruction. As it is, the instruction should be followed to the letter. It says, save as cfscript.txt, so if it were me, I would think I'd need to remove the default *.txt...which, by the way, should go away as soon as you click in the window to type since it's already highlighted. If your system doesn't behave that way, then by all means, remove it and save the file as the instruction directs.

Is it necessary to run ComboFix again for the problems still on my computer or is there some other software we could use?
It is necessary to finish up with combofix

I'm asking because I don't want anything to happen unexpectedly especially since I ran it once on my own and was very fortunate that my comp. still functions normally. I guess what I'm saying is I'm scared of its capabilities.

No need to worry as long as you follow my instructions. Please run it as instructed and post the log.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 Sportsfan123

Sportsfan123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 27 April 2012 - 10:50 PM

How do I get the update, should I uninstall the old version of CF before getting the newest version? I tried going to the download link here
But it said to rename the file since there's one with that name already.

Edited by Sportsfan123, 27 April 2012 - 10:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users