Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Wife's computer will not connect to any ant-virus site

Started by RetiredChief , Aug 01 2010 11:54 AM

  • This topic is locked This topic is locked
74 replies to this topic

#16 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 06 August 2010 - 12:13 AM

Hello RetiredChief

Thank you for the log.

Please work your way through the steps below. Just take your time with them and everything will be fine. If you run into any problems come back and let me know.


  • Safe Mode with Networking


    • Please boot your system into Safe Mode with Networking.
    • To do this:
    • Restart your computer.
    • When Windows starts to boot, tap repeatedly on the f8 key (do this before the Windows screen appears).
    • A list of menu options will appear.
    • Use the arrow keys to highlight Safe Mode with Networking then press the Enter key.

  • Please download The Avenger by Swandog46


    • Please download The Avenger by clicking here and save the file (called avenger.zip) to your desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop.
    • Copy the text in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Files to move:
C:\WINDOWS\system32\dllcache\pciide.sys | C:\WINDOWS\system32\drivers\pciide.sys

    Note: the above code was created specifically for this User. If you are not this User, do NOT follow these directions as they could damage the workings of your system.

    • Once you have copied the text to your Clipboard, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under "Input script here:", and select "Paste" (You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V).
    • Click on "Execute".
    • Answer "Yes" twice when prompted.

    • The Avenger will automatically do the following:
    • It will Restart your computer. (In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop. This is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. (This log file can also be found at C:\avenger.txt).
    • The Avenger will automatically make a backup of all items you asked it to delete. These backups can be located at C:\avenger\backup.zip.

    Please provide The Avenger log in your next reply.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

    Advertisements

Register to Remove

#17 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 06 August 2010 - 10:44 PM

I performed the Avenger as directed. When the computer re-booted and ldisplayed the log file, I got a Warning message that said:

Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bfc 75b6bfc

and 3 buttons: cancel try again continue. I selected continue and try again but nothing happened except the warning window re-loaded itsel immediately. I then selected cancel and it went away and I could view the log listed below:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Fri Aug 06 21:34:46 2010

21:34:46: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Fri Aug 06 21:35:14 2010

21:35:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

#18 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 07 August 2010 - 02:39 AM

Hello RetiredChief

Error: Invalid script. A valid script must begin with a command directive.

Strange?

Did you make sure that all of the text was copied and pasted into The Avenger?

The text we need to use is:

Files to move:
C:\WINDOWS\system32\dllcache\pciide.sys | C:\WINDOWS\system32\drivers\pciide.sys

Please give it one more go.

If it still fails to work we will move the file using a different method :)
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#19 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 07 August 2010 - 07:42 AM

Hello RetiredChief

Just thought of this, but please make sure that the text we need to use appears in two separate lines when you paste it into The Avenger

It should look exactly like this:

Files to move:
C:\WINDOWS\system32\dllcache\pciide.sys | C:\WINDOWS\system32\drivers\pciide.sys

and NOT like this:

Files to move:C:\WINDOWS\system32\dllcache\pciide.sys | C:\WINDOWS\system32\drivers\pciide.sys

Let me know how you get on :)
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#20 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 07 August 2010 - 08:58 AM

I forgot to start it in safe mode so I went back and re-did it. I still got the box Windows no disk warning box with the message:

Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bfc 75b6bfc

and 3 buttons: cancel try again continue

Again I pressed cancel and it went away. Here is the results:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\WINDOWS\system32\dllcache\pciide.sys"
File move operation "C:\WINDOWS\system32\dllcache\pciide.sys|C:\WINDOWS\system32\drivers\pciide.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

#21 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 08 August 2010 - 05:39 AM

Hello RetiredChief

Thank you for letting me know.

Please work your way through the following steps:


  • Download Combofix and RE-NAME it BEFORE saving


  • Download Combofix from either of the links below. You must rename it to retiredchief.exe before saving it.
  • Save it to your desktop. Change the "save as file type" to "all files".
  • Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.


  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


Link 1
Link 2



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.


  • Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#22 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 08 August 2010 - 12:12 PM

JonTom,

Here is the log, that wasn't too complicated to do:

ComboFix 10-08-07.02 - HP_Administrator 08/08/2010 11:01:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.658 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\retiredchief.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\My Documents\iexplore.exe
c:\documents and settings\HP_Administrator\Recent\Thumbs.db
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\jgmd400K.dll
c:\windows\wiaserviv.log
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-07 04:26 . 2010-08-07 04:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-05 06:32 . 2010-08-05 06:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-07-29 17:16 . 2010-07-24 00:22 1496064 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-29 17:16 . 2010-07-24 00:22 43008 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-29 17:16 . 2010-07-24 00:22 338944 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-29 17:16 . 2010-07-24 00:22 346112 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-27 19:00 . 2010-07-27 19:00 -------- d-----w- c:\program files\BitTorrent
2010-07-20 23:33 . 2010-08-01 18:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BitTorrent
2010-07-18 04:30 . 2010-07-18 07:12 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-17 21:58 . 2010-07-17 21:58 -------- d-----w- C:\6e7560e35cb2dc572507a834e97935
2010-07-17 20:01 . 2010-07-17 20:01 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2010-07-17 20:00 . 2010-07-17 21:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\AskToolbar
2010-07-16 21:43 . 2008-12-18 08:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2010-07-16 21:43 . 2008-06-15 17:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-07-16 21:39 . 2010-07-16 21:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2010-07-16 20:41 . 2010-07-16 20:41 -------- d-----w- c:\program files\Ask.com
2010-07-15 20:33 . 2010-07-15 20:33 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2010-07-15 19:08 . 2010-08-04 00:20 452104 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.12\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 17:58 . 2010-01-11 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Renaissance Learning
2010-08-08 17:36 . 2010-04-29 23:20 -------- d-----w- c:\program files\Steam
2010-08-02 01:57 . 2010-05-04 00:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2010-07-25 18:38 . 2009-02-22 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-24 01:06 . 2010-07-01 02:10 -------- d-----w- c:\program files\iTunes
2010-07-24 01:06 . 2010-07-01 02:10 -------- d-----w- c:\program files\iPod
2010-07-17 21:59 . 2009-02-04 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 01:44 . 2010-07-01 02:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2010-07-03 00:51 . 2005-11-11 00:42 -------- d-----w- c:\program files\Microsoft.NET
2010-07-01 03:29 . 2010-07-01 03:29 69396 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-01 02:11 . 2010-07-01 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-01 02:10 . 2010-07-01 02:08 -------- d-----w- c:\program files\Common Files\Apple
2010-07-01 02:10 . 2010-07-01 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-01 02:10 . 2006-10-26 00:14 -------- d-----w- c:\program files\QuickTime
2010-07-01 02:09 . 2010-07-01 02:09 -------- d-----w- c:\program files\Apple Software Update
2010-07-01 02:09 . 2010-07-01 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-07-01 02:09 . 2010-07-01 02:09 -------- d-----w- c:\program files\Bonjour
2010-06-23 06:03 . 2010-06-23 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-06-23 04:26 . 2010-06-23 04:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2010-06-16 03:01 . 2010-06-16 03:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 01:02 . 2010-06-11 00:52 -------- d-----w- c:\program files\Privateer
2010-06-08 01:53 . 2005-11-11 00:30 87984 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 00:38 . 2005-08-31 12:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-30 00:37 . 2010-05-30 00:37 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-05-30 00:37 . 2010-05-30 00:37 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2010-05-30 00:37 . 2010-05-30 00:37 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2010-05-30 00:37 . 2010-05-30 00:37 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2010-05-30 00:37 . 2010-05-30 00:37 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2010-05-30 00:37 . 2010-05-30 00:37 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2010-05-30 00:37 . 2010-05-30 00:37 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2010-05-30 00:37 . 2010-05-30 00:37 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2010-05-28 14:59 . 2010-04-05 04:48 0 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 23:35 . 2010-05-18 23:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-16 23:35 . 2010-02-16 17:53 50354 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Facebook\uninstall.exe
2010-05-12 01:49 . 2010-05-12 01:49 311296 ----a-w- c:\windows\~DFF64B.tmp
2006-10-14 04:36 . 2006-10-10 03:45 3445760 --sha-w- c:\program files\ehthumbs.db
2006-03-27 03:58 . 2006-03-27 04:58 22 --sha-w- c:\windows\SMINST\HPCD.sys
2008-04-14 00:11 . 2004-08-10 12:00 170193 --sha-r- c:\windows\system32\kqjulx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-11 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-10 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Renaissance Wireless Server\\Renaissance Wireless Server.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5799:TCP"= 5799:TCP:wabvkfq

S1 pnojcrqs;pnojcrqs;\??\c:\windows\system32\drivers\pnojcrqs.sys --> c:\windows\system32\drivers\pnojcrqs.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 etsphuhvj;Security Universal;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 5:00 AM 14336]
S2 gagbecgy;cjbdflyul;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ioeekn
fcbaymhx
wfcmbp
mrvjgqto
etsphuhvj
gagbecgy
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-07-15 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 03:22]

2010-08-02 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]

2010-08-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\etsphuhvj]
"ServiceDll"="c:\windows\system32\kqjulx.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gagbecgy]
"ServiceDll"="c:\windows\system32\kqjulx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-08 11:09:30
ComboFix-quarantined-files.txt 2010-08-08 18:09

Pre-Run: 157,831,286,784 bytes free
Post-Run: 157,901,578,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 21341B5B35360B54BCB2909BEE53A9B8

#23 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 August 2010 - 11:03 AM

Hello RetiredChief

Thank you for the log.

that wasn't too complicated to do

You did a good job :thumbup:

ComboFix replaced the file we were looking for previously.

We still have more work to do. We need to run ComboFix again, only this time, we will be running it a slightly different way:


  • Please work through the following steps


  • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
  • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
  • Copy and Paste the text in the codebox below (including the link) into the open Notepad window:

    http://forums.whatthetech.com/index.php?showtopic=113665&st=15&start=15

Collect::
c:\windows\system32\kqjulx.dll

File::
c:\windows\system32\drivers\pnojcrqs.sys

Folder::
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP

Driver::
pnojcrqs
etsphuhvj
gagbecgy

NetSvc::
ioeekn
fcbaymhx
wfcmbp
mrvjgqto
etsphuhvj
gagbecgy

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5799:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\etsphuhvj]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gagbecgy]

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
  • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
  • Close any open browsers.
  • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Refering to the picture below, drag CFScript.txt into ComboFix.exe

    Posted Image

  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • Once the log is produced, re-engage your resident anti virus.
  • Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Please post the ComboFix log in your next reply.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#24 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 09 August 2010 - 11:07 AM

JonTom, I do not have any resident anti-virus installed on the machine at this time. I removed it prior to contacting this site for help because I was thinking it was the problem. The only thing I have installed and working is windows firewall and it is disabled at this time.

#25 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 August 2010 - 11:19 AM

Hello RetiredChief

Thanks for letting me know.

Work your way through the steps to run ComboFix. Once the log is produced, save it and then download and install one of the free antivirus programs provided below.


Once you have installed the AV, re-engage your firewall.

Also, please do not surf the web until we have completed the cleaning of your system.

Post the ComboFix log in your next reply. If you encounter any difficulties come back and let me know :)
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

    Advertisements

Register to Remove

#26 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 09 August 2010 - 11:23 AM

Will Do! I will not get home till about 10:00PM Pacific, I have college but I will run these when I get home. Cheers!

#27 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 09 August 2010 - 11:00 PM

JonTom,

I ran the Combofix as directed but did not see any message box open. Here is the log:

ComboFix 10-08-07.02 - HP_Administrator 08/09/2010 21:37:02.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.570 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\retiredchief.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\pnojcrqs.sys"

file zipped: c:\windows\system32\kqjulx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla12.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla2.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla3.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla4.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla5.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla6.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseCustomCalla8.dll
c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP\WiseData.ini
c:\windows\system32\kqjulx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ETSPHUHVJ
-------\Legacy_GAGBECGY
-------\Service_etsphuhvj
-------\Service_gagbecgy
-------\Service_pnojcrqs


((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-07 04:26 . 2010-08-07 04:26 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-05 06:32 . 2010-08-05 06:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-07-27 19:00 . 2010-07-27 19:00 -------- d-----w- c:\program files\BitTorrent
2010-07-20 23:33 . 2010-08-01 18:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BitTorrent
2010-07-18 04:30 . 2010-07-18 07:12 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-17 21:58 . 2010-07-17 21:58 -------- d-----w- C:\6e7560e35cb2dc572507a834e97935
2010-07-17 20:01 . 2010-07-17 20:01 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2010-07-17 20:00 . 2010-07-17 21:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\AskToolbar
2010-07-16 21:43 . 2008-12-18 08:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2010-07-16 21:43 . 2008-06-15 17:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-07-16 21:39 . 2010-07-16 21:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2010-07-16 20:41 . 2010-07-16 20:41 -------- d-----w- c:\program files\Ask.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 04:45 . 2010-04-29 23:20 -------- d-----w- c:\program files\Steam
2010-08-10 04:43 . 2010-01-11 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Renaissance Learning
2010-08-04 00:20 . 2010-07-15 19:08 452104 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-08-02 01:57 . 2010-05-04 00:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2010-07-25 18:38 . 2009-02-22 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-24 01:06 . 2010-07-01 02:10 -------- d-----w- c:\program files\iTunes
2010-07-24 01:06 . 2010-07-01 02:10 -------- d-----w- c:\program files\iPod
2010-07-24 00:22 . 2010-07-29 17:16 1496064 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-24 00:22 . 2010-07-29 17:16 43008 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-24 00:22 . 2010-07-29 17:16 338944 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-24 00:22 . 2010-07-29 17:16 346112 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ehod9kc8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-17 21:59 . 2009-02-04 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 01:44 . 2010-07-01 02:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2010-07-03 00:51 . 2005-11-11 00:42 -------- d-----w- c:\program files\Microsoft.NET
2010-07-01 03:29 . 2010-07-01 03:29 69396 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-01 02:11 . 2010-07-01 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-01 02:10 . 2010-07-01 02:08 -------- d-----w- c:\program files\Common Files\Apple
2010-07-01 02:10 . 2010-07-01 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-01 02:10 . 2006-10-26 00:14 -------- d-----w- c:\program files\QuickTime
2010-07-01 02:09 . 2010-07-01 02:09 -------- d-----w- c:\program files\Apple Software Update
2010-07-01 02:09 . 2010-07-01 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-07-01 02:09 . 2010-07-01 02:09 -------- d-----w- c:\program files\Bonjour
2010-06-23 06:03 . 2010-06-23 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-06-23 04:26 . 2010-06-23 04:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2010-06-16 03:01 . 2010-06-16 03:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-08 01:53 . 2005-11-11 00:30 87984 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 00:38 . 2005-08-31 12:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-30 00:37 . 2010-05-30 00:37 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-05-30 00:37 . 2010-05-30 00:37 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2010-05-30 00:37 . 2010-05-30 00:37 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2010-05-30 00:37 . 2010-05-30 00:37 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2010-05-30 00:37 . 2010-05-30 00:37 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2010-05-30 00:37 . 2010-05-30 00:37 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2010-05-30 00:37 . 2010-05-30 00:37 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2010-05-30 00:37 . 2010-05-30 00:37 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2010-05-28 14:59 . 2010-04-05 04:48 0 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\prvlcl.dat
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 23:35 . 2010-05-18 23:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-16 23:35 . 2010-02-16 17:53 50354 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Facebook\uninstall.exe
2006-10-14 04:36 . 2006-10-10 03:45 3445760 --sha-w- c:\program files\ehthumbs.db
2006-03-27 03:58 . 2006-03-27 04:58 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-11 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-10 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Renaissance Wireless Server\\Renaissance Wireless Server.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-07-15 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 03:22]

2010-08-02 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]

2010-08-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 21:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\documents and settings\All Users\Application Data\Renaissance Wireless Server\Renaissance Wireless Server.exe
.
**************************************************************************
.
Completion time: 2010-08-09 21:52:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 04:52
ComboFix2.txt 2010-08-08 18:09

Pre-Run: 157,912,076,288 bytes free
Post-Run: 158,222,110,720 bytes free

- - End Of File - - 3EB5779F472D05257D06A2B16883C977

#28 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 09 August 2010 - 11:28 PM

JonTom, I loaded Microsoft Security Essentials on the computer and it ran a scan but did not find anything. Cheers!

#29 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 August 2010 - 11:36 PM

Hello RetiredChief

I ran the Combofix as directed but did not see any message box open.

Thank you for letting me know.

I loaded Microsoft Security Essentials on the computer and it ran a scan but did not find anything. Cheers!

:thumbup:


  • Please manually upload the following files for analysis


  • The CFScript I asked you to run was designed to upload the malware files on your system for analysis. Unfortunately the upload failed so I would like you to upload these files manually. Please do the following:
  • Please click on the following LINK. A new window will open.
  • In the box marked "Link to topic where this file was requested:" please paste in the following text:

http://forums.whatthetech.com/index.php?showtopic=113665&st=15&start=15

  • Click the "Browse" button and navigate to C:\Qoobox\Quarantine
  • There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip (the * denotes the Date and Time stamp - it will be close to this: 08/09/2010 21:37:02).
  • Select this file and click "Open".
  • In the Largest box please put:

File Requested By JonTom
Failed Collect::

  • Finally click "SendFile".
  • Please return here and let me know when that file has been uploaded.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#30 RetiredChief

RetiredChief

    Authentic Member

  • Authentic Member
  • PipPip
  • 111 posts

Posted 10 August 2010 - 05:14 PM

JonTom, File has been uploaded. Standing by................ Chief

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·