|
|
#21
5th Dec 2008, 11:21
|
|||
|
|||
|
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix
__________________
 |
|
#22
8th Dec 2008, 12:20
|
|||
|
|||
|
ok evilfantsy i will running the combofix on my laptop and let you know what happens. btw do you why the kaspersky online scanner doesnt work?
|
|
#23
8th Dec 2008, 12:42
|
|||
|
|||
|
Not sure. Many people have the same problem.
__________________
|
|
#24
8th Dec 2008, 13:06
|
|||
|
|||
|
btw i added your YM to my IM..hope you would add me=) once i get home i'll run combofix on my laptop and let you know what will happen. uhm will this also scan the other drive coz it was partitioned to two drives one is the C drive and the other is the D drive.
|
|
#25
8th Dec 2008, 13:11
|
|||
|
|||
|
I think it will only scan one. We will run another scanner after I see the CF log. I'm mainly wanting to see certain areas of the log. (yes we actually look at every line in every log we request
 )I'm not on YM much but will add you.
__________________
|
|
#26
8th Dec 2008, 13:20
|
|||
|
|||
|
thanks evilfantsy you have been really a big help...=)
|
|
#27
8th Dec 2008, 19:35
|
|||
|
|||
|
ComboFix 08-12-07.04 - X80le 2008-12-09 10:10:03.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1159 [GMT 8:00] Running from: c:\users\X80le\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\acovcnt.exe . ((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))) . 2008-12-09 09:40 . 2008-12-09 10:02 318,976 --a------ c:\windows\System32\cmd.execf 2008-12-09 09:16 . 2008-10-17 05:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll 2008-12-09 09:16 . 2008-10-17 04:56 1,524,736 --a------ c:\windows\System32\wucltux.dll 2008-12-09 09:16 . 2008-10-17 05:12 561,688 --a------ c:\windows\System32\wuapi.dll 2008-12-09 09:16 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll 2008-12-09 09:16 . 2008-10-17 04:55 83,456 --a------ c:\windows\System32\wudriver.dll 2008-12-09 09:16 . 2008-10-17 05:09 51,224 --a------ c:\windows\System32\wuauclt.exe 2008-12-09 09:16 . 2008-10-17 05:09 43,544 --a------ c:\windows\System32\wups2.dll 2008-12-09 09:16 . 2008-10-17 05:08 34,328 --a------ c:\windows\System32\wups.dll 2008-12-09 09:16 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe 2008-12-06 00:25 . 2008-12-06 00:25 <DIR> d-------- c:\program files\CCleaner 2008-11-22 11:58 . 2008-11-22 11:58 <DIR> d-------- c:\users\X80le\AppData\Roaming\Malwarebytes 2008-11-22 11:58 . 2008-11-22 11:58 <DIR> d-------- c:\programdata\Malwarebytes 2008-11-22 11:58 . 2008-12-06 00:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-22 11:58 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys 2008-11-22 11:58 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys 2008-11-13 09:56 . 2008-11-13 11:20 <DIR> d-------- c:\program files\EsetOnlineScanner 2008-11-13 09:55 . 2008-11-13 09:55 <DIR> d-------- C:\nup 2008-11-13 09:51 . 2008-09-05 13:14 1,191,936 --a------ c:\windows\System32\msxml3.dll 2008-11-13 09:51 . 2008-08-27 09:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys 2008-11-13 09:50 . 2008-09-10 11:40 1,334,272 --a------ c:\windows\System32\msxml6.dll 2008-11-11 16:18 . 2008-11-11 16:18 <DIR> d-------- c:\program files\AVG 2008-11-10 01:02 . 2008-11-10 01:02 <DIR> d--h----- c:\windows\PIF . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-12-09 01:31 --------- d-----w c:\programdata\Symantec 2008-11-22 18:07 --------- d-----w c:\users\X80le\AppData\Roaming\CyberLink 2008-11-13 03:29 --------- d-----w c:\programdata\Microsoft Help 2008-11-11 08:32 --------- d-----w c:\programdata\avg8 2008-11-01 02:11 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 00_00.Wdf 2008-11-01 02:11 --------- d-----w c:\users\X80le\AppData\Roaming\Canon 2008-11-01 01:47 --------- d-----w c:\programdata\ZoomBrowser 2008-11-01 01:47 --------- d-----w c:\program files\Canon 2008-11-01 01:45 --------- d-----w c:\program files\Common Files\Canon 2008-10-29 02:46 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-10-15 02:00 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BC F6} 2008-10-15 02:00 --------- d-----w c:\program files\iTunes 2008-10-15 01:59 --------- d-----w c:\program files\iPod 2008-10-02 19:49 19,778 ----a-w c:\windows\E220AutoRunLog.tmp 2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini 2008-09-08 03:06 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\History\History.IE5\index.da t 2008-09-08 03:06 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat 2008-09-08 03:06 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Ro aming\Microsoft\Windows\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\AD SMOverlayIcon1] @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}" [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}] 2007-06-02 08:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920] "Google Update"="c:\users\X80le\AppData\Local\Google\Updat e\GoogleUpdate.exe" [2008-09-04 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IM ESC\IMSCMIG.EXE" [2006-10-27 32560] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3codecp"= l3codecp.acm "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert] --a------ 2007-08-23 20:34 152952 c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] --a------ 2008-09-03 20:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2008-03-18 08:59 2289664 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules] "{2573AF6E-4420-460D-B360-47E6FFDFB35A}"= c:\program files\ASUSTek\ASUSDVD\PowerDVD.EXE:CyberLink PowerDVD "{1A063077-ABC5-43E9-98FC-D09DFDB73C4E}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{C910D8D9-91DC-49D2-9BAA-6E4029495793}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{26A2DECA-A4B6-49F3-8060-4070E543505A}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{3E7312D1-5E0F-44BD-85FE-28C0F0C2EA2F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{A4988C1A-0A82-4B48-BD6E-F8A6D44F588C}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus "{CD143528-E032-4B6C-9493-32BC83551EFA}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus "{F07D88BB-0FE5-444E-83E9-31DCD7DC787E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{33DE57E4-57F4-4CB4-A9A5-F15ADF37EBE2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{51308F0D-4B2A-4620-A12A-0D8D43A40ACA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{B4DC49C8-02CE-43D4-ADB8-6246E348DC80}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{FD3A1F1E-DAEF-4799-950F-CEE6813C5F41}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{926071A3-257A-44E0-B009-3073F4BA73E7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{B8E3D35D-BFBD-4111-89E0-8BE5F3C72EB7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{1C8CB5FC-4EB4-4322-9963-DDFE8469D29A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{5AE2D551-9A5B-42DC-AA03-A48D083873E6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes [HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile] "EnableFirewall"= 0 (0x0) R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ ipsdefs\20081204.001\IDSvix86.sys [2008-12-09 270384] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows \system32\drivers\psd.sys [2007-01-25 39080] R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-25 149352] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\pro gram files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376] R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMN DISV.SYS [2008-06-13 41008] S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\CO H_Mon.sys [2007-05-29 23888] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \shell\AutoRun\command - F:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{1f48810a-8fd8-11dd-9d30-001fc6eaceab}] \shell\Auto\command - setup.exe \shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{722d419a-9087-11dd-b29b-001fc6eaceab}] \shell\AutoRun\command - EXPLORER.EXE \shell\explore\Command - EXPLORER.EXE \shell\open\Command - EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ab16ca8b-8f50-11dd-af85-001fc6eaceab}] \shell\Auto\command - F:\Recycled/dllcache32.exe \shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Recycled/dllcache32.exe \shell\explore\Command - F:\Recycled/dllcache32.exe \shell\open\Command - F:\Recycled/dllcache32.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c0a75932-74a7-11dd-aa0a-001fc6eaceab}] \shell\AutoRun\command - f:\found.000\USB_Files.chk \shell\Explore\command - f:\found.000\USB_Files.chk \shell\Open\command - f:\found.000\USB_Files.chk [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cacd1a7a-8dbf-11dd-bd67-001fc6eaceab}] \shell\AutoRun\command - F:\VMC_PBStarter.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cacd1a85-8dbf-11dd-bd67-001fc6eaceab}] \shell\AutoRun\command - F:\VMC_PBStarter.exe *Newly Created Service* - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\users\X80le\AppData\Local\Google\Update\GoogleU pdate.exe [2008-09-04 10:34] 2008-11-10 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - X80le.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:18] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FireFox -: Profile - c:\users\X80le\AppData\Roaming\Mozilla\Firefox\Pro files\7tdoti5o.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll FF -: plugin - c:\users\X80le\AppData\Local\Google\Update\1.2.131 .27\npGoogleOneClick6.dll . . ------- File Associations ------- . inifile=%SystemRoot%\System32\NOTEPAD.EXE %1" . ************************************************** ************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-09 10:29:37 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\ADSM_PData_0150 scan completed successfully hidden files: 1 ************************************************** ************************ . Completion time: 2008-12-09 10:32:15 ComboFix-quarantined-files.txt 2008-12-09 02:32:12 Pre-Run: 47,480,995,840 bytes free Post-Run: 47,408,295,936 bytes free 200 --- E O F --- 2008-12-09 01:55:23 F --- 2008-12-09 01:55:23 |
|
#28
8th Dec 2008, 19:55
|
|||
|
|||
|
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code:
KillAll::
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{722d419a-9087-11dd-b29b-001fc6eaceab}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab16ca8b-8f50-11dd-af85-001fc6eaceab}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0a75932-74a7-11dd-aa0a-001fc6eaceab}]
4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!  ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
|
|
#29
9th Dec 2008, 09:40
|
|||
|
|||
|
hi evilfantsy... i forgot to inform you that i had a hard time running combofix.. it took like 5 minutes before combofix intialized and i have to download it twice (1st link and second link), thinking that both combofix where not working what i did is i deleted it (both downloads) but after i deleted the second download it run by itself. could i just download it again then follow your instructions above? or do i need to run combo fix (new download) before i follow the instructions above?or just restore the deleted combofix from recycle bin?
|
|
#30
9th Dec 2008, 10:43
|
|||
|
|||
|
You can download a new copy then just drag the CFScript into it.
__________________
|
